← Back to Skills Marketplace

Terraform Reviewer

Name: Terraform Reviewer
Author: anmolnagpal

by Anmol Nagpal · GitHub ↗ · v1.0.0

cross-platform ✓ Security Clean

373

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install terraform-reviewer

Description

Review Terraform plans and HCL files for AWS security misconfigurations before deployment

Usage Guidance

This skill appears coherent and does what it says: analyze pasted Terraform HCL or terraform plan JSON for AWS security issues. It does not ask for credentials. IMPORTANT: terraform plan and especially terraform state can contain secrets or sensitive values — do not paste API keys, passwords, private keys, or any sensitive environment variables into the chat. If you are unsure, sanitize or redact values, or share only the resource blocks necessary for review. Prefer sharing terraform show -json output that you have inspected and scrubbed, or use local tools (tfsec, checkov, terrascan) if you cannot safely redact data. If you want extra assurance, ask the reviewer to provide a small sample analysis first (no secrets) to confirm behavior before sending larger outputs.

Capability Analysis

Type: OpenClaw Skill Name: terraform-reviewer Version: 1.0.0 The skill bundle is classified as benign. The `SKILL.md` clearly defines a security review purpose and explicitly states that the skill is 'instruction-only,' does not execute AWS CLI commands, and does not access AWS accounts directly. It includes strong defensive instructions for the AI agent, such as 'Never ask for credentials, access keys, or secret keys' and to 'confirm no credentials are included before processing' user-provided data. While `bash` is listed as a tool, there are no instructions for the agent to use it for any malicious or risky operations; the `bash` commands provided are for the user to generate input data. There is no evidence of data exfiltration, malicious execution, persistence, or harmful prompt injection attempts.

Capability Assessment

✓ Purpose & Capability

Name and description (Terraform/AWS security reviewer) align with the runtime instructions: the skill is instruction-only and asks users to paste HCL or terraform plan JSON for analysis. It does not request unrelated binaries, cloud credentials, or platform access.

ℹ Instruction Scope

SKILL.md confines the agent to analyzing user-provided HCL/plan/state output and explicitly states it will not use AWS credentials. However, terraform plan/state outputs can contain sensitive values (secrets, passwords, ARNs, resource identifiers). The skill asks the user to confirm no credentials are included before processing, which is appropriate but places the burden on the user to avoid accidental disclosure.

✓ Install Mechanism

No install spec and no code files — instruction-only skills have the smallest disk/execution footprint. Nothing is downloaded or installed by the skill.

✓ Credentials

The skill declares no required environment variables, no credentials, and no config paths. This is proportionate to a static-analysis reviewer that operates on user-supplied text. Note: the skill suggests commands to generate plan/state which may require read-only AWS permissions, but it does not request those credentials directly.

✓ Persistence & Privilege

always:false (default) and no request to modify agent/system configuration. The skill does not request persistent elevated privileges or modify other skills' settings.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install terraform-reviewer
After installation, invoke the skill by name or use /terraform-reviewer
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

aws-terraform-security-reviewer v1.0.0 - Initial release for comprehensive AWS Terraform/IaC security misconfiguration review. - Analyzes pasted Terraform HCL, JSON terraform plan output, or deployed resource config. - No cloud credentials required; user provides only exported data. - Focuses on critical resources (S3, IAM, EC2, RDS, Lambda, KMS, CloudTrail, EKS) with CIS AWS Foundations Benchmark v2.0 mapping. - Produces actionable findings: critical/high, table format with CIS mapping, and corrected HCL snippets. - Includes a ready-to-paste GitHub PR review comment. - Strictly read-only, never requests or processes sensitive credentials.

Metadata

Slug terraform-reviewer

Version 1.0.0

License —

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Terraform Reviewer?

Review Terraform plans and HCL files for AWS security misconfigurations before deployment. It is an AI Agent Skill for Claude Code / OpenClaw, with 373 downloads so far.

How do I install Terraform Reviewer?

Run "/install terraform-reviewer" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Terraform Reviewer free?

Yes, Terraform Reviewer is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Terraform Reviewer support?

Terraform Reviewer is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Terraform Reviewer?

It is built and maintained by Anmol Nagpal (@anmolnagpal); the current version is v1.0.0.

More Skills