Back to skill

Security audit

storage-obs-huawei-cloud-terraform-installer

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it needs review because it directs agents to run a networked Terraform installer and uninstaller with broad triggers, elevated-execution guidance, and no packaged installer script.

Review before installing. Only use this skill when you explicitly want Terraform installed or removed, verify the actual installer script before running any command, avoid sudo or administrator mode unless you understand exactly what will be changed, and check PATH and Terraform configuration changes such as terraform.rc after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill metadata advertises very broad activation triggers for generic Terraform setup and environment requests, which can cause the agent to invoke a network-enabled installer in situations where the user may only want advice, diagnostics, or a non-install action. In an agent setting, over-broad routing increases the chance of unintended software installation or system modification without sufficiently specific user intent.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The markdown exposes an uninstall operation but does not warn that it may remove software, alter PATH or config files, or affect existing Terraform-based workflows. In an autonomous or semi-autonomous agent context, undocumented destructive behavior raises the risk of users triggering system changes they did not fully understand or authorize.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
**Solution:**

- Windows: Right-click → Run as administrator
- Linux: `sudo python3 install_terraform.py`

### Issue 3: Network Timeout
Confidence
72% confidence
Finding
sudo

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.