Trust Assessment
new-terraform-provider received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Unpinned dependency version in `go get`.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on June 1, 2026 (commit 339a1139). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unpinned dependency version in `go get` The skill instructs the agent to fetch a Go dependency using `go get -u github.com/hashicorp/terraform-plugin-framework@latest`. Using `@latest` means the exact version of the dependency is not pinned. This can lead to non-deterministic builds, unexpected breaking changes, or the introduction of vulnerabilities if a future version of the dependency is compromised or contains malicious code. While `hashicorp/terraform-plugin-framework` is a legitimate project, relying on `@latest` introduces a supply chain risk. Pin the dependency to a specific version or at least a major version (e.g., `github.com/hashicorp/terraform-plugin-framework@v1.x.y` or `github.com/hashicorp/terraform-plugin-framework@v1`). This ensures deterministic builds and allows for explicit vetting of updates. | Static | SKILL.md:10 |
Scan History
Embed Code
[](https://skillshield.io/report/48c8010c2d9eaff6)
Powered by SkillShield