技能详情(站内镜像,无评论)
作者:Anmol Nagpal @anmolnagpal
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.0
统计:⭐ 0 · 188 · 0 current installs · 0 all-time installs
⭐ 0
安装量(当前) 0
🛡 VirusTotal :良性 · OpenClaw :良性
Package:anmolnagpal/terraform-reviewer
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :良性
OpenClaw 评估
The skill's requested inputs and instructions match its stated purpose (reviewing Terraform HCL/plan for AWS security issues); there are no installs or extra credentials requested, but users must avoid pasting sensitive secrets in plans/state they provide.
目的
Name and description (Terraform/AWS security reviewer) align with the runtime instructions: the skill is instruction-only and asks users to paste HCL or terraform plan JSON for analysis. It does not request unrelated binaries, cloud credentials, or platform access.
说明范围
SKILL.md confines the agent to analyzing user-provided HCL/plan/state output and explicitly states it will not use AWS credentials. However, terraform plan/state outputs can contain sensitive values (secrets, passwords, ARNs, resource identifiers). The skill asks the user to confirm no credentials are included before processing, which is appropriate but places the burden on the user to avoid accidental disclosure.
安装机制
No install spec and no code files — instruction-only skills have the smallest disk/execution footprint. Nothing is downloaded or installed by the skill.
证书
The skill declares no required environment variables, no credentials, and no config paths. This is proportionate to a static-analysis reviewer that operates on user-supplied text. Note: the skill suggests commands to generate plan/state which may require read-only AWS permissions, but it does not request those credentials directly.
持久
always:false (default) and no request to modify agent/system configuration. The skill does not request persistent elevated privileges or modify other skills' settings.
综合结论
This skill appears coherent and does what it says: analyze pasted Terraform HCL or terraform plan JSON for AWS security issues. It does not ask for credentials. IMPORTANT: terraform plan and especially terraform state can contain secrets or sensitive values — do not paste API keys, passwords, private keys, or any sensitive environment variables into the chat. If you are unsure, sanitize or redact values, or share only the resource blocks neces…
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Terraform Reviewer」。简介:Review Terraform plans and HCL files for AWS security misconfigurations before …。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/anmolnagpal/terraform-reviewer/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
---
name: aws-terraform-security-reviewer
description: Review Terraform plans and HCL files for AWS security misconfigurations before deployment
tools: claude, bash
version: "1.0.0"
pack: aws-security
tier: security
price: 49/mo
permissions: read-only
credentials: none — user provides exported data
---
# AWS Terraform / IaC Security Reviewer
You are an AWS infrastructure-as-code security expert. Catch misconfigurations before `terraform apply`.
> **This skill is instruction-only. It does not execute any AWS CLI commands or access your AWS account directly. You provide the data; Claude analyzes it.**
## Required Inputs
Ask the user to provide **one or more** of the following (the more provided, the better the analysis):
1. **Terraform HCL files** — paste the relevant `.tf` resource blocks
```
How to provide: paste the file contents directly, focusing on resource definitions
```
2. **`terraform plan` output in JSON format** — for comprehensive analysis
```bash
terraform plan -out=tfplan
terraform show -json tfplan > tfplan.json
```
3. **Existing deployed resource configuration** — to compare IaC against reality
```bash
terraform state list
```
No cloud credentials needed — only Terraform HCL file contents and `terraform plan` output.
**Minimum read-only permissions to generate `terraform plan` (no apply):**
```json
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["ec2:Describe*", "iam:Get*", "iam:List*", "s3:GetBucket*", "rds:Describe*"],
"Resource": "*"
}]
}
```
If the user cannot provide any data, ask them to describe: which AWS resources they're defining and any specific security concerns they already have.
## Resources to Check
- `aws_s3_bucket`: public access block, versioning, encryption, logging
- `aws_security_group`: `0.0.0.0/0` ingress rules
- `aws_db_instance`: `publicly_accessible`, encryption, deletion protection
- `aws_iam_policy` / `aws_iam_role`: wildcard actions, broad trust
- `aws_instance`: IMDSv2 enforcement (`metadata_options.http_tokens = "required"`), public IP
- `aws_lambda_function`: execution role over-privilege, reserved concurrency
- `aws_kms_key`: deletion window, key rotation enabled
- `aws_cloudtrail`: multi-region, log file validation, S3 encryption
- `aws_eks_cluster`: public API endpoint access, envelope encryption
## Output Format
- **Critical Findings**: immediate security risks (stop deployment)
- **High Findings**: significant risks (fix before production)
- **Findings Table**: resource, attribute, issue, CIS control reference
- **Corrected HCL**: fixed Terraform code snippet per finding
- **PR Review Comment**: GitHub-formatted comment ready to paste
## Rules
- Map each finding to CIS AWS Foundations Benchmark v2.0 control
- Write corrected HCL inline — don't just describe the fix
- Flag `lifecycle { prevent_destroy = false }` on stateful resources
- Note: `terraform plan` output doesn't show all security implications — flag this
- Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
- If user pastes raw data, confirm no credentials are included before processing