Skillv1.0.0

ClawScan security

Terraform Reviewer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 3, 2026, 11:44 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requested inputs and instructions match its stated purpose (reviewing Terraform HCL/plan for AWS security issues); there are no installs or extra credentials requested, but users must avoid pasting sensitive secrets in plans/state they provide.
Guidance: This skill appears coherent and does what it says: analyze pasted Terraform HCL or terraform plan JSON for AWS security issues. It does not ask for credentials. IMPORTANT: terraform plan and especially terraform state can contain secrets or sensitive values — do not paste API keys, passwords, private keys, or any sensitive environment variables into the chat. If you are unsure, sanitize or redact values, or share only the resource blocks necessary for review. Prefer sharing terraform show -json output that you have inspected and scrubbed, or use local tools (tfsec, checkov, terrascan) if you cannot safely redact data. If you want extra assurance, ask the reviewer to provide a small sample analysis first (no secrets) to confirm behavior before sending larger outputs.

Purpose & Capability: okName and description (Terraform/AWS security reviewer) align with the runtime instructions: the skill is instruction-only and asks users to paste HCL or terraform plan JSON for analysis. It does not request unrelated binaries, cloud credentials, or platform access.
Instruction Scope: noteSKILL.md confines the agent to analyzing user-provided HCL/plan/state output and explicitly states it will not use AWS credentials. However, terraform plan/state outputs can contain sensitive values (secrets, passwords, ARNs, resource identifiers). The skill asks the user to confirm no credentials are included before processing, which is appropriate but places the burden on the user to avoid accidental disclosure.
Install Mechanism: okNo install spec and no code files — instruction-only skills have the smallest disk/execution footprint. Nothing is downloaded or installed by the skill.
Credentials: okThe skill declares no required environment variables, no credentials, and no config paths. This is proportionate to a static-analysis reviewer that operates on user-supplied text. Note: the skill suggests commands to generate plan/state which may require read-only AWS permissions, but it does not request those credentials directly.
Persistence & Privilege: okalways:false (default) and no request to modify agent/system configuration. The skill does not request persistent elevated privileges or modify other skills' settings.