terraform-infra-architect
Warn
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local shell script (
scripts/scaffold-repo.sh) to automate project creation. This script performs dynamic file generation, including Makefiles and GitHub Actions workflows, by interpolating user-controlled variables. Without rigorous validation, these inputs could influence the resulting executable automation logic. - [COMMAND_EXECUTION]: The generated project contains a
Makefileand CI/CD pipelines that execute shell commands based on parameters defined during scaffolding. This creates an indirect path where untrusted user input influences command-line operations. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection attack surface due to its broad capabilities. 1. Ingestion points: User responses to configuration questions in SKILL.md. 2. Boundary markers: Absent; user input is directly interpolated into file templates. 3. Capability inventory: File writing, directory creation, and execution of shell scripts. 4. Sanitization: Absent; the script performs no escaping or validation of user-provided strings before processing.
- [EXTERNAL_DOWNLOADS]: The generated GitHub Actions workflows reference official setup actions from HashiCorp and AWS. These downloads are performed from trusted repositories and official service providers.
Audit Metadata