terraform-gcp
Pass
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: LOWEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (LOW): The script
scripts/tf-init-gcp.shexecutesterraform init, which downloads thehashicorp/googleprovider from the official Terraform Registry. Per [TRUST-SCOPE-RULE], HashiCorp is a trusted organization, downgrading this finding to LOW/INFO. - [COMMAND_EXECUTION] (LOW): The skill executes local shell commands to create project directories and generate Terraform configuration files (
main.tf,variables.tf, etc.). These actions are transparent and necessary for the skill's purpose. - [INDIRECT_PROMPT_INJECTION] (LOW): The bash script accepts positional arguments (project name, ID, region) and interpolates them directly into file templates using heredocs (
<< EOF). While this creates a vulnerability surface for code injection into the generated Terraform files if the inputs are malicious, the impact is localized to the generated infrastructure code and requires a subsequentterraform applyby the user to take effect. - Ingestion points: Positional arguments in
scripts/tf-init-gcp.sh. - Boundary markers: None (direct interpolation).
- Capability inventory: File creation,
terraform initexecution. - Sanitization: None.
Audit Metadata