pulumi-terraform-to-pulumi
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- External Downloads (LOW): The skill installs Pulumi provider packages using standard package managers like npm, pip, and dotnet. These installations are based on a generated JSON file (
/tmp/required-providers.json). This is a legitimate part of the migration process, though it involves downloading external code. - Command Execution (LOW): The skill executes various
pulumicommands, includingpulumi plugin run,pulumi stack import, andpulumi_up. These are necessary for infrastructure management but involve executing external binary logic. - Indirect Prompt Injection (LOW): The skill ingests untrusted data from Terraform source files and temporary JSON files. (1) Ingestion points: Terraform source directories and
/tmp/required-providers.json. (2) Boundary markers: None present. (3) Capability inventory: Package installation (npm, pip, go, dotnet) and Pulumi CLI execution. (4) Sanitization: None detected. While a risk exists if these sources are malicious, the impact is confined to the migration environment.
Audit Metadata