← Back to Skills Marketplace
Terraform Ai Skills
by
Anmol Nagpal
· GitHub ↗
· v0.0.2
425
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install terraform-ai-skills
Description
Use when bulk-managing Terraform modules at scale — upgrading providers across AWS, GCP, Azure, or DigitalOcean repositories, standardizing GitHub Actions wo...
Usage Guidance
This skill appears to do what it claims, but it executes shell scripts that clone, modify, and push to many repositories — potentially at scale. Before installing or running: 1) Review the scripts (scripts/*.sh and run-with-provider.sh) line-by-line in a safe environment. 2) Test on a single non-production repository (the README and SKILL.md explicitly advise this). 3) Provide GitHub credentials with the minimum necessary scopes (use a fine‑grained token or repository-scoped PAT; the docs recommend contents:write, workflows:write, pull-requests:write only if needed). 4) Use DRY_RUN or create PRs (CREATE_PR=true) rather than direct commits while validating behavior. 5) Avoid exposing other secrets in config files; use GitHub secrets when integration is required. 6) Rotate and limit tokens after use and keep audit logs of operations. If you need higher assurance, have a trusted engineer audit the scripts for any unexpected network calls or external endpoints before running at scale.
Capability Analysis
Type: OpenClaw Skill
Name: terraform-ai-skills
Version: 0.0.2
The skill bundle is designed for legitimate Terraform module management, utilizing standard DevOps tools like `terraform`, `git`, and `gh`. It requests broad `filesystem` and `network` permissions, which are plausible for its stated purpose. However, the `run-with-provider.sh` script executes `bash "$SCRIPT_PATH" $ARGS` where `ARGS` is passed directly from user input without explicit sanitization. This creates a shell injection vulnerability (potential RCE) if a malicious user or a compromised AI agent provides crafted input for `ARGS`. While the skill's internal prompts and documentation emphasize safety and do not demonstrate malicious intent, this critical vulnerability, combined with the broad permissions, classifies it as 'suspicious' rather than 'benign' or 'malicious'.
Capability Assessment
Purpose & Capability
Name/description (bulk Terraform module management, provider upgrades, workflow standardization, releases, validation) match the actual contents: bash scripts, config files, prompts, and docs. Declared required binaries (terraform, git, bash) and optional tools (gh, tfsec, tflint, trivy, checkov) are appropriate for the stated tasks.
Instruction Scope
SKILL.md and CLAUDE.md instruct the agent to run shipped scripts (run-with-provider.sh, scripts/*.sh) that clone, modify, and push changes across many repositories and optionally create GitHub releases. This is within the stated purpose, but these instructions imply broad filesystem and network activity and the ability to make destructive changes at scale — the docs explicitly recommend testing on one repo first and include safety/rollback guidance, which is good practice.
Install Mechanism
No install spec is provided (instruction-only), so nothing will be downloaded automatically. Code files are included in the skill and are intended to be executed locally; there are no third-party download URLs or extracted archives in the package that would raise additional supply-chain concerns.
Credentials
The skill manifest lists no required env vars or primary credential, but the scripts and documentation clearly expect certain environment variables and credentials at runtime (e.g., GH CLI usage, GitHub token permissions for commits/releases, CREATE_PR, ORG_NAME, SLACK_WEBHOOK_URL for optional notifications, and other runtime variables in docs/ENV-VARS.md). The absence of an explicit requires.env entry is an omission in the manifest (not necessarily malicious) — users must supply appropriate tokens with least privilege when running the skill.
Persistence & Privilege
The skill does not request always:true and claw.json lists only filesystem and network permissions, which are coherent with its purpose (cloning repos, modifying files, pushing changes, calling GH). It does not attempt to modify other skills or system-wide settings. Because the skill executes shell scripts, it will run with the invoking user's privileges — follow safe practice and test first.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install terraform-ai-skills - After installation, invoke the skill by name or use
/terraform-ai-skills - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.0.2
- Improved skill description for bulk Terraform module management and multi-cloud support (AWS, GCP, Azure, DigitalOcean).
- Enhanced documentation: clear use cases, step-by-step quick start, and detailed provider/version requirements.
- Added reference guides for provider configs, safety/rollback, and real-world examples.
- Included expected time estimates and proven time savings for common operations.
- Clarified tool requirements and expanded optional integrations for validation and automation.
Metadata
Frequently Asked Questions
What is Terraform Ai Skills?
Use when bulk-managing Terraform modules at scale — upgrading providers across AWS, GCP, Azure, or DigitalOcean repositories, standardizing GitHub Actions wo... It is an AI Agent Skill for Claude Code / OpenClaw, with 425 downloads so far.
How do I install Terraform Ai Skills?
Run "/install terraform-ai-skills" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Terraform Ai Skills free?
Yes, Terraform Ai Skills is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Terraform Ai Skills support?
Terraform Ai Skills is cross-platform and runs anywhere OpenClaw / Claude Code is available (linux, macos).
Who created Terraform Ai Skills?
It is built and maintained by Anmol Nagpal (@anmolnagpal); the current version is v0.0.2.
More Skills