The Agent Skills Directory

Indirect Prompt Injection (MEDIUM): The skill is vulnerable to indirect injection because it ingests data from external AWS resources into the agent's decision-making loop.
Ingestion points: drift.json (generated from terraform show -json).
Boundary markers: Absent. The agent processes the raw JSON output to categorize drift and recommend actions.
Capability inventory: Execution of terraform apply and terraform apply -refresh-only based on agent recommendations.
Sanitization: Absent. Maliciously crafted AWS resource tags or names could influence the agent's categorization or impact assessment.
Command Execution (MEDIUM): The skill explicitly executes system commands including aws sts get-caller-identity, terraform init, and terraform plan. While essential for the skill's purpose, this grants the agent control over the cloud environment's state and configuration.
Data Exposure (MEDIUM): Terraform state and plan files (drift.json) often contain sensitive plain-text information such as database passwords, API keys, or private environment variables. Reading this data into the LLM context constitutes a risk of sensitive data exposure to the model provider.

terraform-drift-detection