The Agent Skills Directory

[COMMAND_EXECUTION]: The tf-plan-review.sh script executes terraform or tofu subcommands such as plan, validate, and state. It also utilizes jq for robust JSON processing of the plan output. All shell variables and directory paths are quoted to prevent command injection.\n- [EXTERNAL_DOWNLOADS]: The skill invokes the init command, which downloads provider plugins and modules from the Terraform Registry or other configured external sources. This is essential for the tool's functionality and follows standard infrastructure-as-code practices.\n- [PROMPT_INJECTION]: The skill has an indirect prompt injection surface as it ingests untrusted Terraform configuration files. An attacker with the ability to modify these files could attempt to manipulate the agent's risk assessment via malicious resource names or comments. Evidence: 1. Ingestion points: .tf configuration files and terraform plan JSON output. 2. Boundary markers: Parsing is performed using structured JSON queries via jq. 3. Capability inventory: Limited to read-only terraform operations; no apply or destroy capabilities. 4. Sanitization: Use of jq --arg for safe variable interpolation during data processing.

tf-plan-review