Back to skill

Security audit

Terraform State Inventory / Terraform 资源盘点器

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly aligned with Terraform inventory work, but it promotes handling sensitive state files and unattended infrastructure remediation without enough safety guidance.

Install only if you are prepared to treat Terraform state as sensitive data and keep the skill in report-only workflows unless an authorized operator explicitly reviews plans, diffs, backups, and production impact before any remediation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly encourages parsing and exporting terraform.tfstate, but provides no warning that state files commonly contain highly sensitive infrastructure metadata and may include provider credentials, secrets, connection strings, or private resource details. In an agent context, this omission can lead users to expose state contents in logs, CI artifacts, chats, or downstream tools without appropriate handling.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill advertises automated drift remediation and rollback plans without any caution that remediation can modify or destroy live infrastructure, especially in production environments. In a DevOps/IaC context, suggesting automated corrective actions without approval gates or safety guidance increases the risk of outages, data loss, or unintended changes being executed by operators or downstream agents.

Missing User Warnings

High
Confidence
97% confidence
Finding
Promoting workflows that 'fix inconsistencies without manual intervention' normalizes unsupervised infrastructure changes while omitting any warning about irreversible effects on production resources. Given the skill’s cloud and Terraform context, this is especially dangerous because automated state or infrastructure reconciliation can cascade into service disruption, accidental resource recreation, or security policy drift.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.