Trust Assessment
pulumi-terraform-to-pulumi received a trust score of 91/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 1 medium, and 1 low severity. Key findings include Insecure Temporary File Usage in Dependency Resolution, Unquoted Shell Variable Interpolation.
The analysis covered 4 layers: dependency_graph, llm_behavioral_safety, manifest_analysis, static_code_analysis. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 8, 2026 (commit 3230a42d). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Insecure Temporary File Usage in Dependency Resolution The skill instructs the agent to use fixed, predictable paths in `/tmp` (`/tmp/required-providers.json`) to store generated dependency requirements, which are subsequently read to install packages. On multi-user systems, this creates a Time-of-Check Time-of-Use (TOCTOU) vulnerability where a local attacker could pre-create or modify this file to inject malicious package names or versions, causing the agent to install compromised dependencies. Use a secure, randomized temporary directory (e.g., `mktemp -d`) or a file within the project's local workspace to store intermediate dependency configurations. | Unknown | SKILL.md:25 | |
| LOW | Unquoted Shell Variable Interpolation The shell command template uses unquoted variables (`${terraform_dir}`, `${pulumi_dir}`). If the user-provided paths contain spaces or shell metacharacters, this could lead to command injection or execution errors when the agent constructs the command. Enclose all variable expansions in double quotes (e.g., `"${terraform_dir}"`) to prevent shell expansion exploits. | Unknown | SKILL.md:23 |
Scan History
Embed Code
[](https://skillshield.io/report/faee9bd9bb2c961e)
Powered by SkillShield