Security Audit
devops-iac-engineer
github.com/davila7/claude-code-templatesTrust Assessment
devops-iac-engineer received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 9 findings: 2 critical, 3 high, 3 medium, and 1 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Network egress to untrusted endpoints.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 26/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings9
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/development/devops-iac-engineer/scripts/devops_utils.py:107 | |
| CRITICAL | Arbitrary AWS CLI Command Injection The `run_aws_cli_command` function directly executes arbitrary AWS CLI commands provided by user input (`args.aws_command`). This allows an attacker to execute any AWS CLI command with the permissions of the executing environment, potentially leading to data exfiltration, resource modification, or privilege escalation. Implement strict whitelisting for allowed AWS CLI commands and arguments. Avoid directly passing arbitrary user input to `subprocess.run`. If specific AWS operations are needed, create dedicated functions with validated, parameterized inputs rather than a generic command executor. | LLM | scripts/devops_utils.py:250 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'validate_hcl'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/development/devops-iac-engineer/scripts/devops_utils.py:107 | |
| HIGH | Command Injection via `subprocess.run` with user-controlled arguments Multiple functions in `scripts/devops_utils.py` construct and execute shell commands using `subprocess.run` where arguments are directly derived from untrusted user input (e.g., `file_path`, `tag`, `repo_url`, `message`, `bucket_name`). An attacker could inject malicious shell metacharacters or additional command arguments, leading to arbitrary command execution on the host system. Sanitize all user-provided inputs before passing them to `subprocess.run`. Use `shlex.quote()` for individual arguments to prevent shell metacharacter injection. Ensure `shell=False` (the default) is maintained and arguments are passed as a list, not a single string. | LLM | scripts/devops_utils.py:80 | |
| HIGH | Path Traversal for Arbitrary File Read The `KubernetesHelper.validate_manifest` function opens a file specified by `file_path`, which is derived from user input (`args.file`). An attacker could provide a path like `../../../../etc/passwd` to read arbitrary files on the system, leading to data exfiltration. Validate and sanitize `file_path` to ensure it is within an allowed directory. Use `os.path.abspath()` and `os.path.commonprefix()` or `pathlib.Path.resolve()` to restrict file access to intended directories. | LLM | scripts/devops_utils.py:99 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Path Traversal for Directory and File Creation The `TerraformHelper.init_project` function constructs directory paths and file paths using the user-provided `name` parameter. While `pathlib.Path` normalizes `../` components, an attacker could still use path traversal (e.g., `../../attacker_dir`) to create directories and files outside the intended project structure, potentially polluting the filesystem or overwriting existing files. Strictly validate the `name` parameter to ensure it does not contain path separators or components that would lead to directory creation outside the intended scope. Consider using a UUID or a sanitized version of the name as a subdirectory within a controlled base path. | LLM | scripts/devops_utils.py:20 | |
| MEDIUM | Content Injection in Generated Terraform Files The `TerraformHelper.init_project` function embeds user-controlled inputs (`name`, `cloud`, `region`) directly into the generated Terraform HCL content. If an attacker provides specially crafted input (e.g., containing quotes or HCL syntax), they could inject arbitrary Terraform code into the generated files, which could then be executed by Terraform, leading to infrastructure compromise. Sanitize or escape user-provided inputs before embedding them into generated configuration files. For HCL, this might involve escaping quotes or using a templating engine that automatically handles escaping, or strictly validating inputs against a whitelist of allowed values. | LLM | scripts/devops_utils.py:34 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/b988f84cbd7f2165)
Powered by SkillShield