ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Terraform Patterns

v2.1.1

Terraform infrastructure-as-code agent skill and plugin for Claude Code, Codex, Gemini CLI, Cursor, OpenClaw. Covers module design patterns, state management...

0· 98·2 current·2 all-time
byAlireza Rezvani@alirezarezvani
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match what the included files do: two local Python scanners and a large SKILL.md with checklists. However the skill calls 'python3 scripts/...' but the registry metadata does not declare Python (or any required binary). This is a provenance/packaging omission — Python is required to run the provided scripts.
!
Instruction Scope
Runtime instructions explicitly tell the agent to read all .tf files in a target directory and run the two scanner scripts. That is expected for a Terraform reviewer, but the SKILL.md does not describe how sensitive findings are handled. The security scanner returns matched lines (which can include hardcoded access keys, secrets, or passwords), and the instructions do not instruct redaction or limits on where to scan. This raises risk of unintentionally exposing secrets in reports.
Install Mechanism
No install spec is present and all code is bundled with the skill (two Python scripts plus reference docs). There are no external downloads or installers. This lowers remote code-install risk, but it still requires an execution environment (python3).
Credentials
The skill requests no environment variables or credentials. That is appropriate. However the scanner is specifically designed to detect hardcoded credentials in Terraform files and will include matched snippets in findings. Because it will read local files containing secrets, users should be aware reports may contain sensitive values.
Persistence & Privilege
The skill is not always-enabled and does not request elevated privileges or modify other skills. It runs on-demand and has no install hooks or persistent background components.
What to consider before installing
This skill appears to do what it says (Terraform code review and security scanning) and bundles two Python scripts for local analysis. Before installing or running it: 1) Review the two scripts yourself — they run locally and use only the standard library, but inspecting them confirms there are no hidden network calls. 2) Make sure the agent/environment has python3 available (the SKILL.md calls 'python3' but the skill metadata doesn't declare it). 3) Run the scanner only against repositories you control or that do not contain production secrets — the scanner's reports include matched lines and can contain access keys, passwords, or tokens. 4) If you plan to use this in an automated/remote agent, ensure reports are not automatically uploaded to external services or logged where third parties can access them. 5) Prefer skills with a known source/homepage or run the scripts in an isolated environment (local VM or container) if the author is unknown. If you can get confirmation that the skill will redact or redact-sensitive findings and/or the metadata is updated to list python3 as a required binary, I would raise confidence and consider the package coherent.

Like a lobster shell, security has layers — review code before you run it.

latestvk970y197wfm83y09z2m4ap6m3s8388vy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments