Terraform Production Engineering

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Terraform guidance skill with no hidden code or install-time behavior, but users should keep sensitive infrastructure files out of broad agent access.

Install only if you want an agent to help review or design Terraform/IaC. Limit the agent to the repository or files you intend to share, and redact or exclude tfstate, tfvars, cloud credentials, plan outputs with secrets, and provider configuration containing sensitive data before asking for a review.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The skill exposes very broad natural-language triggers such as 'Review this Terraform code', 'Security audit my Terraform', and 'Set up CI/CD for Terraform'. In an agent system, these generic phrases can unintentionally activate the skill for ordinary user requests, causing over-broad routing into a high-impact infrastructure/IaC workflow and potentially generating unsafe operational guidance in the wrong context.

VirusTotal

44/44 vendors flagged this skill as clean.

View on VirusTotal