terraform-generator

This SKILL.md defines a legitimate Terraform generation workflow and its capabilities line up with its purpose. I found no embedded malware, obfuscated payloads, or explicit credential harvesting in the text. The main risks are operational: the skill mandates invoking an external validator that will run terraform and Checkov (which perform network operations, download provider plugins, and may use user-supplied cloud credentials). That creates a transitive trust and supply-chain surface (validator implementation and provider plugin ecosystem) that should be reviewed before granting this skill permission to execute with real credentials. Recommend: (1) verify and audit the devops-skills:terraform-validator implementation before use, (2) run validation in a least-privileged environment or CI with restricted credentials, and (3) ensure users do not pass long-lived or high-privilege secrets to the validator during exploratory runs.