Skills
NYC
skills/manutej/luxor-claude-marketplace/terraform-infrastructure-as-code/Snyk

terraform-infrastructure-as-code

Warn

Audited by Snyk on Feb 15, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.80). The skill's "Module Sources" examples (e.g., source = "github.com/...", "git::https://...", Terraform Registry and s3:: URLs) explicitly show fetching modules and code from public third‑party sources (GitHub, Registry, arbitrary URLs/S3), which Terraform will ingest and execute as part of its workflow, exposing the agent to untrusted user-provided content that could carry indirect prompt-injection-like instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). I flagged https://example.com/myapp/release.tar.gz because the included scripts/configure-app.sh (invoked via remote-exec provisioner) wget's that archive at runtime and installs/executables from it, meaning remote code is fetched and executed as a required dependency.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 15, 2026, 09:06 PM