terraform-aws-annotated-reference

[Skill Scanner] Credential file access detected All findings: [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] No evidence of intentionally malicious code in the provided skill description. The design is coherent with the stated purpose (generate annotated Terraform templates from the official provider schema and supplemental official AWS docs via MCP servers). The main security concerns are supply-chain trust: running 'terraform init' will download and execute provider plugins from the public Terraform Registry (normal but a binary supply-chain boundary) and documentation flows depend on the listed MCP servers (trust dependency). Recommend users run in an isolated directory, verify MCP server endpoints, and optionally allow supplying a pre-fetched schema.json to avoid provider binary downloads. LLM verification: The skill's stated purpose (generate annotated Terraform AWS resource templates) aligns with its actions. The file itself contains orchestration instructions (terraform, curl, jq, uvx) and no direct malicious code, hardcoded secrets, or obfuscation. The main supply-chain risk is the requirement to run third-party MCP servers (awslabs.terraform-mcp-server and aws-knowledge-mcp-server) and to perform terraform init which downloads provider binaries; both expand the trust boundary and could be used