Terraform Ai Skills
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill has a legitimate Terraform maintenance purpose, but the package appears to omit core prompt/config files while enabling broad changes across many GitHub repositories.
Install only if you can verify the missing config and prompt files or provide your own reviewed equivalents. Before running it, review the shell scripts, use a fine-grained GitHub token, test on one repository, prefer PRs over direct commits, and avoid FORCE or SKIP_VALIDATION for bulk runs.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may fail, improvise, or rely on unavailable/unreviewed instructions for operations that can modify many repositories.
The skill's core instructions reference config/*.config and prompts/*.prompt files, but the supplied file manifest lists only config/README.md and no prompts directory. For a bulk repo-mutating skill, missing core workflow files make the actual behavior and scope hard to review.
@copilot use terraform-ai-skills/config/aws.config and follow terraform-ai-skills/prompts/4-full-maintenance.prompt
Do not run bulk maintenance until the referenced config and prompt files are present, reviewed, and match the documented workflow.
A mistaken setting or prompt could create widespread commits, workflow changes, tags, or releases.
The skill is explicitly designed to make coordinated changes across many repositories, including workflows and releases. This is purpose-aligned, but high-impact if run with broad scope.
bulk-managing Terraform modules at scale — upgrading providers ... standardizing GitHub Actions workflows, automating semantic releases ... across 10–200+ module repositories
Use a dry run or one-repo test first, require PR review where possible, and avoid running against all repositories until the diff and plan are reviewed.
A token with broad organization access could let the automation change many repositories and CI workflows.
The documented GitHub permissions allow repository writes, workflow modification, PR creation, and release operations. These privileges are expected for this skill but should be constrained.
contents: write # For commits and releases workflows: write # For workflow updates pull-requests: write # If using PR workflow
Use fine-grained, repository-scoped credentials, prefer PR-based changes, and revoke or rotate tokens after bulk maintenance.
Local scripts can modify checked-out repositories and interact with local tools using the current user's privileges.
The skill includes shell-based automation, which is normal for Terraform/git workflows but executes with the user's local permissions.
Shell scripts execute with your user permissions. Always: Review scripts before running
Review the shell scripts, run from a clean working directory or disposable environment, and keep backups or branches before bulk execution.
A single error could affect CI pipelines, releases, or Terraform compatibility across a large module fleet.
The intended scale means one bad configuration, provider constraint, or workflow change can propagate across many repositories.
Provider upgrade (170 repos) | 56 hours | 90 min
Start with one repository, then small batches, monitor CI results, and keep rollback steps ready before organization-wide rollout.