v1.0.0

Terraform Cost Estimator

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 2:50 PM.

Analysis

This is a straightforward instruction-only Terraform cost estimator; its local Terraform/Python commands fit the purpose, but users should be aware they may use existing Terraform/cloud context and create a local plan file.

GuidanceThis skill appears safe to install as an instruction-only helper. Before using it, make sure you are in the correct Terraform workspace, use an appropriate least-privileged cloud profile, and treat generated Terraform plan files as potentially sensitive infrastructure data.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

terraform plan -out=plan.tfplan 2>/dev/null
terraform show -json plan.tfplan 2>/dev/null | python3 -c

The skill instructs use of local Terraform and Python commands and creates a plan file. This is central to estimating Terraform costs, but it is still command execution in the user's project environment.

User impactIf invoked in the wrong directory or against the wrong Terraform workspace, the agent could inspect unintended infrastructure configuration or produce a plan file there.

RecommendationRun the skill only in the intended Terraform project, review the command before execution, and avoid suppressing errors if you need full visibility into Terraform warnings.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

metadata

Required binaries (all must exist): none

The registry metadata does not declare required binaries, while SKILL.md documents commands using terraform and python3. This is an under-declared dependency rather than hidden code installation.

User impactThe skill may fail or behave differently depending on the locally installed Terraform and Python versions.

RecommendationConfirm Terraform and Python are installed from trusted sources before using the skill.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceMediumStatusNote

SKILL.md

Works with AWS, GCP, and Azure resources.

Estimating costs from Terraform plans for cloud resources may rely on the user's existing Terraform provider configuration and cloud account context. The artifacts do not show credential collection, logging, or unrelated account access.

User impactTerraform plan analysis may use whatever cloud credentials and workspace settings are already configured locally.

RecommendationUse a least-privileged cloud/Terraform profile suitable for planning and review which workspace or account is active before running the estimator.