terragrunt-validator
Fail
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: A hardcoded AWS account ID (562806027032) was detected within the cached example configuration files for the VPC module. According to security guidelines, hardcoding specific account identifiers is classified as a credential exposure risk and should be avoided in favor of dynamic environment variables.\n- [EXTERNAL_DOWNLOADS]: the skill references and downloads infrastructure modules and validation tools from well-known and trusted sources, such as the Terraform Registry, Aqua Security, and Cloud Posse.\n- [REMOTE_CODE_EXECUTION]: The documentation provides instructions for installing the Trivy security scanner using a shell script piped from the official Aqua Security GitHub repository. While Aqua Security is a recognized and trusted vendor, executing remote scripts directly from a URL is a significant capability.\n- [COMMAND_EXECUTION]: The skill is designed to execute Terragrunt and Terraform binaries. The included VPC test module contains a conditional gate logic ('putin_khuylo') that can prevent the execution of infrastructure provisioning if specific conditions are not met, effectively acting as a functional gate.\n- [PROMPT_INJECTION]: As a tool that parses and interprets external HCL configuration files and security scan logs, there is an inherent surface for indirect prompt injection. Maliciously crafted configuration comments or metadata could be used to attempt to influence the agent's interpretation of results during validation.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh - DO NOT USE without thorough review
Audit Metadata