Skills
skills/vchirrav/product-security-ai-skills/iac-scan-tfsec/Gen Agent Trust Hub

iac-scan-tfsec

Fail

Audited by Gen Agent Trust Hub on Feb 14, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION] (HIGH): The skill instructs the agent to execute shell commands (tfsec and trivy) where arguments, such as the target directory, may be influenced by user input. This creates a risk of command injection if the input is not strictly validated.
  • [PROMPT_INJECTION] (HIGH): The skill is susceptible to Indirect Prompt Injection (Category 8). It ingests untrusted external Terraform (HCL) files and interprets the results of an external scanner. A malicious HCL file or a compromised scanner could produce results that manipulate the agent's logic or subsequent output. There are no boundary markers or sanitization routines defined in the instructions.
  • [EXTERNAL_DOWNLOADS] (HIGH): The skill recommends installing software via go install github.com/aquasecurity/tfsec/cmd/tfsec@latest. Since aquasecurity is not on the specific list of Trusted GitHub Organizations provided in the security protocol, this is treated as a high-risk external dependency download.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 14, 2026, 03:23 PM