windows-builder
Pass
Audited by Gen Agent Trust Hub on Apr 3, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- Remote Script Execution: The skill includes a pattern to download and execute the Chocolatey installation script from its official community repository. This is a common method for setting up package management on Windows images, though it involves executing code fetched from a remote source.
- WinRM Security Configuration: The HCL examples utilize settings like
winrm_insecure = trueandAllowUnencrypted = "true". These are frequently used during the image creation phase to ensure the builder can communicate with the instance before certificates or encrypted tunnels are fully established. - PowerShell Execution Policy: The provisioner scripts include
Set-ExecutionPolicy Bypass. This is a standard procedure in automation to allow the execution of provisioning scripts that would otherwise be restricted by default Windows security policies. - Administrative Access: The configuration specifies the use of the
Administratoraccount for WinRM communication. This ensures the builder has the necessary privileges to perform system-level tasks like installing features and running Windows Updates.
Audit Metadata