The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill references multiple GitHub Actions from trusted and well-known organizations including Google, AWS, Hashicorp, Aqua Security, and Bridgecrew. Evidence: Found in SKILL.md and references/workflow-templates.md referencing actions/checkout, google-github-actions/auth, and hashicorp/setup-terraform.
[COMMAND_EXECUTION]: Provides templates that execute standard Terraform and Terragrunt CLI commands for infrastructure management. Evidence: Workflow templates in SKILL.md and references/workflow-templates.md demonstrate terraform init, plan, and apply operations.
[SAFE]: Adheres to security best practices by recommending OIDC authentication over static keys and requiring full commit SHA pins for external dependencies. Evidence: Explicitly mentioned in the 'Key principles' and 'Checklist' sections of SKILL.md.
[PROMPT_INJECTION]: The skill includes an indirect prompt injection surface where untrusted metadata is interpolated into a script block. 1. Ingestion points: github.event.pull_request.head.ref and github.actor (untrusted PR metadata) are used in the actions/github-script block in SKILL.md. 2. Boundary markers: Absent for the footers of PR comments generated by the script. 3. Capability inventory: The workflow has pull-requests: write permissions and uses github.rest.issues.createComment to post to the repository. 4. Sanitization: Absent for the specific interpolated expressions in the footer, although the skill correctly advises using environment variables for the main plan output.

terraform-github-actions-deploy