ClawHub

Terraform Engineer

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Terraform guidance skill with expected Terraform risks but no hidden execution, exfiltration, or deceptive behavior.

Safe to install as documentation, but treat command snippets as examples. Before any apply, destroy, state push/rm/mv, force-unlock, or integration test, confirm the account, workspace, backend, plan output, backup, and credential scope.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Low
Confidence
86% confidence
Finding
The document presents loading GCP credentials from a local service account key file, which normalizes a higher-risk authentication pattern even though it notes it is not recommended for production. In an IaC skill, examples are often copied directly, so insufficiently strong warning and lack of handling guidance can lead users to create, store, or commit long-lived key material insecurely.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document includes powerful Terraform state commands such as state mv, state rm, state push, and backend migration steps without sufficiently explicit warnings that these operations can orphan resources, overwrite authoritative state, or cause infrastructure drift if used incorrectly. In a Terraform engineering skill, readers are likely to copy operational commands directly, so incomplete safety framing materially increases the chance of accidental disruption.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The force-unlock example says 'use carefully' but does not clearly explain that removing a legitimate lock while another operation is active can permit concurrent writes and corrupt state. Because Terraform state is the source of truth for managed infrastructure, unsafe unlock guidance can lead to race conditions, lost updates, and hard-to-recover deployment failures.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This section includes `terraform test`, `apply`, and Terratest examples that create and destroy infrastructure, but it does not clearly warn that these tests can provision, modify, and bill real cloud resources. In a Terraform engineering skill, users may copy these examples into real accounts, so the lack of safety framing increases the risk of unintended deployment, spend, or destructive changes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal