← Back to Skills Marketplace
tkuehnl

tf-plan-review

by Todd Kuehnl · GitHub ↗ · v0.2.1
cross-platform ⚠ suspicious
691
Downloads
0
Stars
3
Active Installs
4
Versions
Install in OpenClaw
/install tf-plan-review
Description
Analyze Terraform plans for risk before you apply. Classifies every change as safe, moderate, dangerous, or critical. Detects destroys, IAM changes, data-los...
Usage Guidance
Before installing or running this skill: - Expect to have jq and terraform (or tofu) on PATH — the registry metadata incorrectly lists no required binaries. Confirm these are present. - Review the included scripts yourself (scripts/tf-plan-review.sh) before trusting it in production. The script is mostly conservative, but it does run `terraform init` if the directory is not initialized, which creates/changes .terraform and can download providers/modules from the network. - If you are concerned about downloading untrusted providers, run the tool in a sandbox or on a copy of the repo that has already been initialized, or set TF_BINARY to a vetted wrapper. - The script writes the plan JSON to a secure temporary file and removes it on exit, but temporary files can persist until deleted; avoid running it on hosts where tmp is not trusted or where disk-forensics is a concern. - Do not grant this skill more credentials than necessary. Because it relies on Terraform, it will use whatever provider credentials Terraform finds; run it with least privilege or in a read-only/staging account if possible. - The discrepancies (metadata omitting dependencies, SKILL.md claiming purely in-memory while script uses a temp file) justify manual review; if you cannot review the script, treat the skill as potentially risky and test it in isolated environments first.
Capability Analysis
Type: OpenClaw Skill Name: tf-plan-review Version: 0.2.1 The skill is designed as a read-only Terraform plan analyzer. The `SKILL.md` explicitly instructs the AI agent with 'CRITICAL RULES' to NEVER run `terraform apply`, `destroy`, or any state-modifying commands, and to handle sensitive data carefully. The `scripts/tf-plan-review.sh` code adheres to these rules, using `set -euo pipefail`, consistently quoting paths to prevent shell injection, employing `jq --arg` for safe JSON interpolation, and running `terraform plan -out=/dev/null` to avoid writing plan files to disk. The `SECURITY.md` further reinforces these safety measures. There is no evidence of intentional malicious behavior, data exfiltration, or backdoors. The requested `exec` and `network` permissions are justified for its stated purpose of running Terraform commands and interacting with cloud provider APIs.
Capability Assessment
Purpose & Capability
The skill's name/description (Terraform plan risk analysis) aligns with the included script and SKILL.md. However, the registry metadata declares no required binaries or env vars while the code clearly depends on terraform (or tofu) and jq, and optionally timeout/gtimeout. That metadata omission is an incoherence that could mislead users or automated installers.
Instruction Scope
SKILL.md instructs agents to run the supplied script which runs `terraform plan -json`, `terraform validate`, `terraform state` queries and — when not initialized — runs `terraform init`. The docs repeatedly claim 'strictly read-only', but `terraform init` will create/modify the .terraform directory and may download providers/modules (network activity). The script writes plan output to a temporary file (mktemp) rather than entirely in-memory, contradicting some SKILL.md/README claims about never caching plan output to disk. The script contains no apparent instructions to exfiltrate data or contact third parties beyond normal Terraform/provider network activity.
Install Mechanism
There is no install spec (instruction-only + script). This is low-risk from a package-download perspective because nothing fetches arbitrary archives during installation. The script will, however, trigger provider/module downloads when running `terraform init` in a directory that needs initialization — a normal Terraform behavior and documented in SECURITY.md.
Credentials
The skill declares no required environment variables or credentials and does not request unrelated secrets. It does support TF_BINARY and TF_PLAN_TIMEOUT. It relies on the user's Terraform provider credentials indirectly (Terraform uses credentials) which is proportionate for a plan analysis tool. The registry metadata omission of terraform/jq is the main proportionality mismatch to be aware of.
Persistence & Privilege
always:false and normal autonomous invocation settings. The script does create a temporary file for plan JSON and may create/update the .terraform directory via `terraform init` (documented as an allowed exception). It does not modify Terraform state or call terraform apply/destroy. Creating .terraform and temporary files is a modest level of persistence; understand that `terraform init` may download provider binaries into .terraform which are then present on disk.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install tf-plan-review
  3. After installation, invoke the skill by name or use /tf-plan-review
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.2.1
Rebrand to Anvil AI. Remove CacheForge marketing copy. Normalize install commands.
v0.2.0
Republish — metadata refresh, force re-index
v0.1.2
Docs: normalize CacheForge footer and CTA.
v0.1.1
Launch: CacheForge wave 2. Discord v2 delivery, security hardened, production-grade.
Metadata
Slug tf-plan-review
Version 0.2.1
License
All-time Installs 3
Active Installs 3
Total Versions 4
Frequently Asked Questions

What is tf-plan-review?

Analyze Terraform plans for risk before you apply. Classifies every change as safe, moderate, dangerous, or critical. Detects destroys, IAM changes, data-los... It is an AI Agent Skill for Claude Code / OpenClaw, with 691 downloads so far.

How do I install tf-plan-review?

Run "/install tf-plan-review" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is tf-plan-review free?

Yes, tf-plan-review is completely free (open-source). You can download, install and use it at no cost.

Which platforms does tf-plan-review support?

tf-plan-review is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created tf-plan-review?

It is built and maintained by Todd Kuehnl (@tkuehnl); the current version is v0.2.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 Comments