tf-plan-review

Security checks across malware telemetry and agentic risk

Overview

This Terraform plan-review skill appears purpose-aligned, but users should review it because its strong read-only/no-cache claims do not fully match its actual local writes and temporary plan-file handling.

Install only if you are comfortable letting an agent run Terraform/OpenTofu in a specific, trusted Terraform directory. Use least-privilege or read-only cloud credentials, prefer running terraform init yourself after reviewing providers/modules, and assume plan metadata may briefly touch local disk despite the no-cache wording.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The script advertises itself as 'STRICTLY READ-ONLY' and 'never modifies state', but later auto-runs `terraform init`, which writes `.terraform/`, lock files, and may trigger backend/provider initialization side effects. This can mislead users and higher-level agents into granting execution in contexts where no filesystem or network modifications were expected.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: In the `plan` path, the tool silently runs `terraform init` when `.terraform` is absent, contradicting the manifest's claim that it is entirely read-only. In Terraform environments, `init` can modify the workspace, download providers/modules, and interact with configured backends, so this is more than a cosmetic documentation defect.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The `validate` subcommand also auto-runs `terraform init -backend=false`, which still writes local Terraform metadata and downloads dependencies despite avoiding backend initialization. Because the skill is marketed as entirely read-only, this hidden write behavior can violate execution assumptions and change repository state in automation pipelines.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The activation phrases are broad enough that the skill could trigger in contexts not clearly asking for Terraform execution, causing unintended command execution in the current directory or a user-supplied path. Because the skill has `exec: true` and `network: true`, accidental activation can lead to unplanned `terraform plan/init/validate/state` operations against real infrastructure or backends.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill markets itself as 'strictly read-only' without warning that `terraform plan`, `validate`, and especially auto-`init` may contact remote backends, cloud provider APIs, module registries, or other network services. This can expose metadata, trigger authentication flows, or interact with sensitive environments in ways users may not expect from a supposedly local analysis step.

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The test plan instructs users to run `terraform init` for a config that requires the null provider, which causes Terraform/OpenTofu to contact external registries and download provider binaries. While common in Terraform workflows, omitting an explicit warning means operators may unintentionally perform networked actions in environments expecting offline or hermetic testing.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This test explicitly describes using AWS credentials to run `terraform plan` against AWS resources, but it does not prominently warn that real cloud credentials may grant account access and cause API calls against live infrastructure. Even though `plan` is read-oriented, it can still enumerate infrastructure, validate providers, and interact with production accounts in ways that may expose metadata or create operational risk.

Missing User Warnings

Low

Confidence: 81% confidence
Finding: The cleanup step uses recursive deletion under `/tmp` with a wildcard, which is dangerous if copied, modified, or run in an unexpected shell context. Although the targets are scoped to a specific prefix and look intentionally limited, destructive file deletion commands in documentation should be treated cautiously because small operator mistakes can broaden their effect.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Automatic initialization occurs without prominent up-front warning in the command behavior, so users may invoke a supposedly safe analyzer and unknowingly trigger writes or network access. In CI/agent settings, that surprise side effect increases risk because operators may permit the tool under stricter policies than they would for an initializer.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal