infrastructure-coder
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill utilizes internal Python scripts (
dockerfile-analyzer.py,k8s-manifest-validator.py, andterraform-module-scanner.py) to perform localized static analysis. These scripts rely on standard library modules and do not initiate external network connections or download remote payloads. - [SAFE]: Data processing is handled through structured JSON outputs from the analysis scripts, which are then used to populate a local reporting dashboard. The provided dashboard template (
templates/dashboard.html) includes a dedicated sanitization function (escH) to escape HTML entities, reducing the risk of indirect content manipulation or Cross-Site Scripting (XSS) when viewing results from untrusted IaC files. - [SAFE]: The skill explicitly defines operational boundaries, refusing tasks related to CI/CD pipelines or application code, which minimizes the attack surface and prevents unauthorized modification of deployment workflows.
- [SAFE]: Reference materials and generated configurations consistently promote security hardening, such as marking sensitive variables in Terraform, dropping container capabilities in Kubernetes, and using multi-stage builds to exclude build secrets from production Docker images.
- [SAFE]: No obfuscation, hardcoded credentials, or persistence mechanisms were detected in the skill's source files or scripts.
Audit Metadata