← 返回 Skills 市场
Terraform Ai Skills
作者
Anmol Nagpal
· GitHub ↗
· v0.0.2
425
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install terraform-ai-skills
功能描述
Use when bulk-managing Terraform modules at scale — upgrading providers across AWS, GCP, Azure, or DigitalOcean repositories, standardizing GitHub Actions wo...
安全使用建议
This skill appears to do what it claims, but it executes shell scripts that clone, modify, and push to many repositories — potentially at scale. Before installing or running: 1) Review the scripts (scripts/*.sh and run-with-provider.sh) line-by-line in a safe environment. 2) Test on a single non-production repository (the README and SKILL.md explicitly advise this). 3) Provide GitHub credentials with the minimum necessary scopes (use a fine‑grained token or repository-scoped PAT; the docs recommend contents:write, workflows:write, pull-requests:write only if needed). 4) Use DRY_RUN or create PRs (CREATE_PR=true) rather than direct commits while validating behavior. 5) Avoid exposing other secrets in config files; use GitHub secrets when integration is required. 6) Rotate and limit tokens after use and keep audit logs of operations. If you need higher assurance, have a trusted engineer audit the scripts for any unexpected network calls or external endpoints before running at scale.
功能分析
Type: OpenClaw Skill
Name: terraform-ai-skills
Version: 0.0.2
The skill bundle is designed for legitimate Terraform module management, utilizing standard DevOps tools like `terraform`, `git`, and `gh`. It requests broad `filesystem` and `network` permissions, which are plausible for its stated purpose. However, the `run-with-provider.sh` script executes `bash "$SCRIPT_PATH" $ARGS` where `ARGS` is passed directly from user input without explicit sanitization. This creates a shell injection vulnerability (potential RCE) if a malicious user or a compromised AI agent provides crafted input for `ARGS`. While the skill's internal prompts and documentation emphasize safety and do not demonstrate malicious intent, this critical vulnerability, combined with the broad permissions, classifies it as 'suspicious' rather than 'benign' or 'malicious'.
能力评估
Purpose & Capability
Name/description (bulk Terraform module management, provider upgrades, workflow standardization, releases, validation) match the actual contents: bash scripts, config files, prompts, and docs. Declared required binaries (terraform, git, bash) and optional tools (gh, tfsec, tflint, trivy, checkov) are appropriate for the stated tasks.
Instruction Scope
SKILL.md and CLAUDE.md instruct the agent to run shipped scripts (run-with-provider.sh, scripts/*.sh) that clone, modify, and push changes across many repositories and optionally create GitHub releases. This is within the stated purpose, but these instructions imply broad filesystem and network activity and the ability to make destructive changes at scale — the docs explicitly recommend testing on one repo first and include safety/rollback guidance, which is good practice.
Install Mechanism
No install spec is provided (instruction-only), so nothing will be downloaded automatically. Code files are included in the skill and are intended to be executed locally; there are no third-party download URLs or extracted archives in the package that would raise additional supply-chain concerns.
Credentials
The skill manifest lists no required env vars or primary credential, but the scripts and documentation clearly expect certain environment variables and credentials at runtime (e.g., GH CLI usage, GitHub token permissions for commits/releases, CREATE_PR, ORG_NAME, SLACK_WEBHOOK_URL for optional notifications, and other runtime variables in docs/ENV-VARS.md). The absence of an explicit requires.env entry is an omission in the manifest (not necessarily malicious) — users must supply appropriate tokens with least privilege when running the skill.
Persistence & Privilege
The skill does not request always:true and claw.json lists only filesystem and network permissions, which are coherent with its purpose (cloning repos, modifying files, pushing changes, calling GH). It does not attempt to modify other skills or system-wide settings. Because the skill executes shell scripts, it will run with the invoking user's privileges — follow safe practice and test first.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install terraform-ai-skills - 安装完成后,直接呼叫该 Skill 的名称或使用
/terraform-ai-skills触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.0.2
- Improved skill description for bulk Terraform module management and multi-cloud support (AWS, GCP, Azure, DigitalOcean).
- Enhanced documentation: clear use cases, step-by-step quick start, and detailed provider/version requirements.
- Added reference guides for provider configs, safety/rollback, and real-world examples.
- Included expected time estimates and proven time savings for common operations.
- Clarified tool requirements and expanded optional integrations for validation and automation.
元数据
常见问题
Terraform Ai Skills 是什么?
Use when bulk-managing Terraform modules at scale — upgrading providers across AWS, GCP, Azure, or DigitalOcean repositories, standardizing GitHub Actions wo... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 425 次。
如何安装 Terraform Ai Skills?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install terraform-ai-skills」即可一键安装,无需额外配置。
Terraform Ai Skills 是免费的吗?
是的,Terraform Ai Skills 完全免费(开源免费),可自由下载、安装和使用。
Terraform Ai Skills 支持哪些平台?
Terraform Ai Skills 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(linux, macos)。
谁开发了 Terraform Ai Skills?
由 Anmol Nagpal(@anmolnagpal)开发并维护,当前版本 v0.0.2。
推荐 Skills