tfc-plan-json
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches structured infrastructure plan data from app.terraform.io. These network operations target a well-known service domain and are conducted via authenticated API requests.
- [COMMAND_EXECUTION]: Utilizes bash scripts and jq filters to parse and display resource changes from the Terraform plan. All commands are focused on specific data analysis tasks and do not involve arbitrary code execution.
- [PROMPT_INJECTION]: The skill processes external JSON data from the Terraform Cloud API, which presents a surface for indirect prompt injection. However, this is inherent to the skill's purpose of analyzing external data.
- Ingestion points: JSON responses from app.terraform.io API endpoints (SKILL.md)
- Boundary markers: Absent
- Capability inventory: curl for network access, bash for script execution, and jq for data processing (SKILL.md)
- Sanitization: Absent; the skill passes filtered JSON output directly to the agent context.
Audit Metadata