terraform-diagrams

This skill's stated purpose (convert Terraform to Eraser DSL and render diagrams) matches most of its capabilities, but it mandates a network POST to a third-party rendering API and requires an API key. The skill also requires tracking and reporting the Terraform file paths and extracted resources, and it contains no guidance to identify or redact sensitive values before transmission. That combination creates a realistic risk of accidental credential or sensitive-data exposure. I assess the package as SUSPICIOUS: not obviously backdoored or obfuscated, but it requires sending potentially sensitive IaC content and file metadata to an external service as a mandatory step, which is disproportionate in high-security environments and could be abused for credential harvesting. Recommend treating the skill as untrusted for repositories containing secrets; require an explicit user confirmation and secret-redaction step before any external API call, or provide an offline rendering option.