Infra Wrapper

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be advertised as an infrastructure/Terragrunt helper but mainly records and exports user-provided infrastructure text locally, which could retain sensitive operational details unexpectedly.

Review carefully before installing. Treat this as a local logging/audit utility, not a Terragrunt/OpenTofu/Terraform executor. Do not paste secrets, cloud credentials, production plan output, backend URLs, account IDs, or sensitive environment details unless you intentionally want them stored locally and potentially exported. Look for clear documentation of storage path, deletion/purge controls, redaction, and explicit invocation before using it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The skill is presented as a Terragrunt/OpenTofu/Terraform orchestration tool, but the documented behavior is a generic local logging system that stores arbitrary user-provided infrastructure-related text under ~/.local/share/infra-wrapper. This mismatch is dangerous because users may disclose secrets, environment names, backend URLs, or operational commands under the assumption they are invoking real infrastructure actions rather than creating persistent local records.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The manifest and branding identify the skill as an infrastructure orchestration helper, but the body describes a generic logging toolkit that only records arbitrary text. This deceptive framing increases the chance that users will enter sensitive infrastructure commands, plans, or environment details believing they are using a real Terragrunt assistant, leading to unintended data retention and operational confusion.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The examples use action-oriented phrases like 'terragrunt apply --all' and 'plan output for production,' which strongly imply real infrastructure execution, while the command descriptions say these commands only log entries. In an IaC context, this can mislead users into supplying sensitive operational data or relying on nonexistent execution, creating both confidentiality and operational integrity risks.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The script's help and behavior do not implement Terragrunt/OpenTofu/Terraform orchestration as advertised; instead, it presents a generic logging/data collection utility. This mismatch is dangerous because users may grant trust and provide infrastructure-related inputs under false pretenses, leading to covert collection and retention of operational data.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The core handlers for purported infrastructure commands merely save arbitrary user-supplied text into per-command log files and history, with no real Terragrunt or infrastructure operation. In the context of an IaC skill, this creates a deceptive data-harvesting surface where sensitive infrastructure details, secrets, stack names, or internal identifiers may be persistently captured.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The script includes broad local retention, search, status, recent-history, and export capabilities that aggregate previously entered data, but these features are not justified by the stated Terragrunt orchestration purpose. This increases risk by making any captured sensitive infrastructure inputs easy to enumerate and repackage into export files on disk.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The script self-describes as an 'Infra Wrapper' utility, but the implementation does not wrap infrastructure tooling and instead records user inputs. Mislabeling functionality in a security-sensitive DevOps context can mislead users into trusting and feeding the tool sensitive data they would not otherwise disclose.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The command triggers are very broad, common verbs such as run, check, analyze, status, and report. In agent environments, such generic triggers can be invoked unintentionally or matched in unrelated contexts, causing accidental logging of user content, infrastructure details, or sensitive snippets without clear user intent.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill omits a clear warning that all operations are logged locally, even though the content indicates storage of arbitrary infrastructure-related inputs, history tracking, search, and export features. In the Terragrunt/IaC context, those logs may contain secrets, internal hostnames, account IDs, backend locations, or deployment intent, so missing disclosure materially increases the risk of sensitive data exposure.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: User-provided inputs are written verbatim to persistent local log files without prominent notice, consent, or any filtering for secrets. In an infrastructure tool context, users may paste plan data, environment names, account IDs, tokens, or other sensitive operational material, creating avoidable local data exposure.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The export functionality silently aggregates retained log content into new files, increasing the blast radius of any previously collected sensitive inputs. Because the help text does not clearly warn that exports contain historical user data, users may unintentionally create additional plaintext copies of infrastructure-related information.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal