infrastructure-coder

The skill presents a coherent IaC-focused toolset aimed at generating, reviewing, and securing infrastructure code. Its stated boundaries (IaC only, no CI/CD or application code) are consistent with its modes (Terraform, Kubernetes, Docker, Review, Cost, Security) and its emphasis on best practices (version pinning, non-root containers, health checks, least privilege). There are reasonable protections against hardcoded secrets and a workflow involving analysis scripts and reference patterns. However, there are some modest risk signals: (1) reliance on external analysis scripts could become a supply-chain risk if sources are not vetted; (2) explicit secret management workflows are not described beyond general guidance; (3) no explicit handling of secret injection points, rotation, or vault integration in the generation process is shown; (4) there is a potential generic risk around data being sent to dashboards if not properly sandboxed. Overall, the footprint remains proportionate to a tool designed for IaC generation/analysis, with moderate risk primarily around external script provenance and secret handling practices. Recommended action: ensure all analysis scripts and templates are sourced from verified, versioned registries; enforce strict secret handling workflows in generation outputs; and implement explicit environment-scoped configuration to prevent secret leakage.