gcp-to-aws
Warn
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill is designed to recursively read and process Terraform state files (.tfstate) and variable files (.tfvars). These files are highly sensitive and frequently contain plaintext cloud credentials, database passwords, and private network configurations. While the skill attempts to mitigate risk by auto-generating a .gitignore file for its state directory, the agent still gains full access to the sensitive source data during the discovery phase.
- Evidence: Found in references/phases/discover/discover-iac.md (Step 1) and SKILL.md (Prerequisites).
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted infrastructure-as-code files and uses AI inference to classify resources and infer dependencies. Attackers could embed malicious instructions in HCL comments or resource metadata to bias the migration architecture or cost estimations.
- Ingestion points: Terraform source files (.tf, .tfvars, .tfstate).
- Boundary markers: Absent. There are no delimiters or instructions to ignore embedded HCL comments as command data.
- Capability inventory: The skill performs local file system operations (read/write) and integrates with external MCP tools (awspricing, awsknowledge).
- Sanitization: Absent. The skill uses regex and direct LLM interpretation of raw HCL content.
Audit Metadata