opentofu-guide
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): The documentation files
references/opentofu-1.10-features.mdandreferences/opentofu-1.11-features.mdcontain instructions to install the software by piping a remote script directly into a shell (curl -fsSL https://get.opentofu.org/install-opentofu.sh | sh). This pattern is highly vulnerable to supply chain attacks and man-in-the-middle exploits. Severity is reduced to HIGH because the pattern is used for its primary documentation purpose. - EXTERNAL_DOWNLOADS (LOW): The skill references downloading infrastructure modules from OCI registries and other external provider sources (
oci://ghcr.io/), which involves fetching and potentially executing third-party code. - COMMAND_EXECUTION (MEDIUM): The files contain numerous examples of shell commands for state manipulation, key generation (
openssl), and deployment (tofu apply) that could lead to unauthorized system changes or local code execution if processed by an agent without strict verification.
Recommendations
- HIGH: Downloads and executes remote code from: https://get.opentofu.org/install-opentofu.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata