The Agent Skills Directory

[COMMAND_EXECUTION]: The scripts/agent.py script executes external security scanning binaries as its primary function.
Evidence: The script uses subprocess.run to call checkov and tfsec binaries with user-provided directory paths.
Context: The execution utilizes safe argument list formatting to prevent shell injection and is strictly limited to the intended purpose of scanning infrastructure code.
[EXTERNAL_DOWNLOADS]: The skill identifies several well-known security tools as necessary prerequisites.
Evidence: SKILL.md lists checkov, tfsec, terrascan, and Open Policy Agent (OPA) as required tools.
Context: These tools are established open-source security projects from well-known organizations. References to these resources are informative and necessary for the skill's operation.
[INDIRECT_PROMPT_INJECTION]: The skill processes external configuration data which creates a potential surface for indirect injection, though this is expected for an auditing tool.
Ingestion points: scripts/agent.py reads and parses Terraform plan JSON files (e.g., plan_json_path).
Boundary markers: None are explicitly implemented in the agent's report generation logic.
Capability inventory: The skill has permissions to execute system commands (subprocess.run) and perform file operations.
Sanitization: No specific sanitization of the input JSON content is performed prior to parsing and reporting.
[SAFE]: No signs of obfuscation, hardcoded credentials, or unauthorized data exfiltration were found. The skill operates locally on user-provided files and generates local output reports.

auditing-terraform-infrastructure-for-security