terraform-plan-review
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is susceptible to data-driven instructions embedded within processed Terraform plans.\n
- Ingestion points: The skill reads
plan.json(Step 3) and extracts resource lists, both of which contain strings derived from external Terraform configuration files.\n - Boundary markers: Absent. The JSON content and resource lists are interpolated directly into the sub-agent task prompts without delimiters or instructions to ignore embedded commands.\n
- Capability inventory: The skill possesses the capability to execute
terraform apply(Step 6), allowing for state-changing operations on cloud infrastructure.\n - Sanitization: None. There is no evidence of filtering or escaping for strings extracted from the plan JSON.\n- [Command Execution] (LOW): The skill relies on shell command execution to perform its primary functions.\n
- Evidence: Executes
aws sts get-caller-identity,terraform init,terraform plan, andterraform apply.\n - Context: While an approval gate exists in Step 5, the analysis provided to the user for that approval is derived from sub-agents that are vulnerable to the injection identified above.
Recommendations
- AI detected serious security threats
Audit Metadata