Terraform Patterns

Security checks across malware telemetry and agentic risk

Overview

This Terraform helper is purpose-aligned and locally scoped, but users should be deliberate about which infrastructure files they let it inspect.

Install only if you trust the publisher and want Terraform-specific review help. Point the scripts only at intended project directories, treat generated reports as sensitive if they include secret matches or infrastructure details, and require explicit approval before running Terraform apply, import, state, force-unlock, or production workspace commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The activation conditions are broad enough to trigger on nearly any Terraform-related request, increasing the chance the skill engages when the user did not explicitly ask for repository scanning or infrastructure review. Over-broad auto-activation can cause unnecessary file access or overly invasive behavior in contexts where only conceptual advice was needed.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The skill explicitly describes running analyzer and security-scanning scripts against `./terraform` without warning that this reads local files and may process sensitive infrastructure definitions. In an IaC context, those files often contain topology details, account identifiers, or even mishandled secrets, so silent scanning increases privacy and security risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal