The Agent Skills Directory

[COMMAND_EXECUTION]: The initialization script scripts/tf-init-gcp.sh uses positional parameters ($1, $2, and $3) to perform file system operations. Specifically, the mkdir -p "$PROJECT_NAME" and cd "$PROJECT_NAME" commands are executed without input validation or sanitization. This lack of validation allows for potential directory traversal attacks (e.g., providing a project name containing ../) which could lead to file operations in unintended directories.
[SAFE]: The VPC template in assets/vpc-module.tf defines a firewall rule allow_ssh that allows incoming traffic on port 22 from 0.0.0.0/0. While this configuration exposes the infrastructure to potential brute-force attacks from the internet, it is a common template pattern that should be restricted by the user for production deployments.
[SAFE]: The skill appropriately manages Terraform state and sensitive variables. The scripts/tf-init-gcp.sh script automatically generates a .gitignore file that excludes *.tfstate and *.tfvars files, preventing the accidental exposure of infrastructure secrets in version control systems.
[EXTERNAL_DOWNLOADS]: The skill references the official Google Cloud provider from Hashicorp. The initialization script invokes terraform init, which downloads this provider from the official Terraform Registry, a well-known and trusted service.

terraform-gcp