terraform
Pass
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill instructions promote strong security postures, including the use of ephemeral resources for secrets management and the enforcement of IMDSv2 on compute instances. It explicitly warns against common supply chain risks and provides guidance on pinning dependencies to specific versions or commit hashes.
- [EXTERNAL_DOWNLOADS]: The skill references official tools and repositories from well-known organizations such as HashiCorp, the Linux Foundation, and established security projects like Checkov and TFLint. These references are documented as part of a recommended security workflow for infrastructure validation.
- [COMMAND_EXECUTION]: The workflow outlines the use of standard command-line utilities for linting, validation, and planning. The instructions explicitly state that the AI should never execute 'terraform apply' autonomously and that all plan outputs must undergo human review.
- [PROMPT_INJECTION]: The skill processes user-supplied infrastructure configurations as part of its primary function. Ingestion points: User-provided file paths or HCL content as referenced in SKILL.md. Boundary markers: The instructions do not specify explicit delimiters for untrusted data. Capability inventory: The agent is permitted to execute analysis tools like terraform, checkov, and tflint. Sanitization: The workflow relies on mandatory human review of all infrastructure changes as a primary safety control.
Audit Metadata