Security Audit

pulumi-terraform-to-pulumi

github.com/pulumi/agent-skills

AI SkillCommit 3230a42ddb5b

TRUSTED

Scanned 12 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

pulumi-terraform-to-pulumi received a trust score of 91/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.

SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 1 medium, and 1 low severity. Key findings include Insecure Temporary File Usage in Dependency Resolution, Unquoted Shell Variable Interpolation.

The analysis covered 4 layers: dependency_graph, llm_behavioral_safety, manifest_analysis, static_code_analysis. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 8, 2026 (commit 3230a42d). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

91%

Behavioral Risk Signals

Filesystem Write

2 findings

Shell Execution

1 finding

Dynamic Code

2 findings

Security Findings2

Severity	Finding	Layer	Location
MEDIUM	Insecure Temporary File Usage in Dependency Resolution The skill instructs the agent to use fixed, predictable paths in `/tmp` (`/tmp/required-providers.json`) to store generated dependency requirements, which are subsequently read to install packages. On multi-user systems, this creates a Time-of-Check Time-of-Use (TOCTOU) vulnerability where a local attacker could pre-create or modify this file to inject malicious package names or versions, causing the agent to install compromised dependencies. Use a secure, randomized temporary directory (e.g., `mktemp -d`) or a file within the project's local workspace to store intermediate dependency configurations.	Unknown	SKILL.md:25
LOW	Unquoted Shell Variable Interpolation The shell command template uses unquoted variables (`${terraform_dir}`, `${pulumi_dir}`). If the user-provided paths contain spaces or shell metacharacters, this could lead to command injection or execution errors when the agent constructs the command. Enclose all variable expansions in double quotes (e.g., `"${terraform_dir}"`) to prevent shell expansion exploits.	Unknown	SKILL.md:23

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/faee9bd9bb2c961e.svg)](https://skillshield.io/report/faee9bd9bb2c961e)