terraform-skill — agentic threat model
The terraform-skill agent poses a high indirect risk due to its focus on infrastructure-mutating surfaces like SSH, remote-exec, and Terraform plan/apply. While primarily a guidance and debugging skill, any compromise or generation of insecure IaC templates could lead to severe remote code execution or cloud infrastructure compromise.
OWASP AIVSS score rationale
| Autonomy of Action | 0.30 | |
| Goal-Driven Planning | 0.40 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.60 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.30 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The underlying foundation model is not specified. Standard LLM risks apply, particularly prompt injection that could trick the model into generating malicious IaC payloads or insecure SSH configurations.
Not certain from the listing — The exact data storage or RAG mechanism for operational traps is unspecified. If a vector database is used to store Terraform patterns, it faces risks of knowledge-base poisoning with insecure IaC templates.
The agent framework orchestrates guidance for highly sensitive operations (remote-exec, local-exec, SSH). Insecure tool integration or lack of input sanitization during drift debugging could allow an attacker to execute arbitrary shell commands on the host running the agent.
Not certain from the listing — The hosting environment for this open-source skill is not defined. However, because it guides SSH and container health operations, a compromise of the deployment environment could expose highly sensitive cloud credentials and SSH private keys.
Not certain from the listing — No evaluation, guardrails, or logging mechanisms are mentioned. Without strict guardrails, there are significant blind spots regarding whether the agent is recommending insecure or backdoored Terraform configurations.
Not certain from the listing — There are no mentioned compliance frameworks, identity controls, or access policies. The lack of explicit RBAC for executing or planning Terraform changes represents a major compliance gap.
As a community-contributed 'Agent Skill', this component is subject to supply chain risks. If integrated into larger multi-agent systems, a compromised version of this skill could act as a horizontal vector to inject malicious infrastructure code across an organization's entire cloud footprint.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).