{ "schemaVersion": "1.0", "item": { "slug": "tf-plan-review", "name": "tf-plan-review", "source": "tencent", "type": "skill", "category": "数据分析", "sourceUrl": "https://clawhub.ai/tkuehnl/tf-plan-review", "canonicalUrl": "https://clawhub.ai/tkuehnl/tf-plan-review", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/tf-plan-review", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=tf-plan-review", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "CHANGELOG.md", "README.md", "SECURITY.md", "SKILL.md", "TESTING.md", "scripts/tf-plan-review.sh" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-30T16:55:25.780Z", "expiresAt": "2026-05-07T16:55:25.780Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentDisposition": "attachment; filename=\"network-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/tf-plan-review" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/tf-plan-review", "agentPageUrl": "https://openagent3.xyz/skills/tf-plan-review/agent", "manifestUrl": "https://openagent3.xyz/skills/tf-plan-review/agent.json", "briefUrl": "https://openagent3.xyz/skills/tf-plan-review/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Terraform Plan Analyzer & Risk Assessor", "body": "Analyze terraform plan output and produce an AI-powered risk assessment of every infrastructure change — before you press apply.\n\nThis skill is STRICTLY READ-ONLY. It runs terraform plan and terraform validate to analyze changes, but it NEVER runs terraform apply, terraform destroy, terraform import, terraform taint, or any command that modifies infrastructure or state." }, { "title": "Activation", "body": "This skill activates when the user mentions:\n\n\"terraform plan\", \"tf plan\", \"review plan\", \"plan review\"\n\"is this plan safe\", \"safe to apply\", \"risk assessment\"\n\"what will be destroyed\", \"what changes\", \"terraform changes\"\n\"terraform state\", \"state drift\", \"drift detection\"\n\"terraform validate\", \"validate config\", \"tf validate\"\n\"IAM changes\", \"security group changes\", \"infrastructure changes\"\n\"blast radius\", \"cascade effects\", \"dependencies\"\n\"tofu plan\", \"opentofu\" (same workflow, different binary)" }, { "title": "Example Prompts", "body": "\"Review this terraform plan before I apply\"\n\"What will be destroyed in this plan?\"\n\"Is this plan safe to apply?\"\n\"Show me the state drift\"\n\"What IAM changes are in this plan?\"\n\"Validate my terraform config in ~/infra/prod\"\n\"Run a risk assessment on the terraform plan in /deployments/staging\"\n\"What's the blast radius if I apply this plan?\"" }, { "title": "Permissions", "body": "permissions:\n exec: true # Required to run terraform/tofu CLI\n read: true # Read .tf files and plan output\n write: false # NEVER writes — strictly read-only analysis\n network: true # terraform plan needs provider API access" }, { "title": "Terraform Change Types — What the Agent Must Know", "body": "Understanding Terraform change types is critical for accurate risk assessment:" }, { "title": "Action Types (from plan JSON)", "body": "ActionMeaningRisk ProfilecreateNew resource being addedGenerally safe (unless IAM/security)updateExisting resource modified in-placeModerate (depends on what's changing)deleteResource being permanently destroyedDANGEROUS — data loss riskreplace (delete + create)Resource must be destroyed and recreatedDANGEROUS — downtime + data lossreadData source being refreshedSafe (read-only)no-opNo changes neededSafe" }, { "title": "What Makes a Change Dangerous", "body": "Critical (🔴 CRITICAL):\n\nAny destroy/replace of: IAM roles/policies, security groups, KMS keys, secrets, databases (RDS, DynamoDB, Cloud SQL, Azure SQL), S3 buckets, DNS records, WAF rules, CloudTrail\nAny update to IAM policies, security group rules, encryption settings\nThese changes can cause data loss, security breaches, or service outages\n\nDangerous (🟠 DANGEROUS):\n\nDestroy/replace of: EC2 instances, load balancers, ECS/EKS clusters, VPCs, subnets, NAT gateways, Lambda functions, API gateways\nThese changes cause downtime and may require manual intervention to recover\n\nModerate (🟡 MODERATE):\n\nUpdates to: autoscaling policies, monitoring/alerting rules, launch templates\nCreates of: security-sensitive resources (new IAM roles, new security groups)\nChanges that affect capacity or observability but not data integrity\n\nSafe (🟢 SAFE):\n\nTag-only updates\nCreating new non-sensitive resources\nNo-op / read operations" }, { "title": "Replace is Especially Dangerous", "body": "When Terraform says it must \"replace\" a resource, it means:\n\nDelete the existing resource (irreversible)\nCreate a new one with the new configuration\n\nThis is triggered when an immutable attribute changes (e.g., changing RDS engine_version, EC2 ami, changing a subnet's AZ). The agent should always flag replaces prominently because:\n\nThe old resource (and its data) is destroyed\nThere will be a gap between destroy and create (downtime)\nDependent resources may break during the transition" }, { "title": "Agent Workflow", "body": "Follow this sequence exactly based on user intent:" }, { "title": "For Plan Analysis (\"review this plan\", \"is it safe\", \"what changes\")", "body": "Step 1: Run Plan Analysis\n\nbash /scripts/tf-plan-review.sh plan \n\nIf no directory specified, use the current working directory.\n\nThe script outputs:\n\nstdout: Structured JSON with all resource changes, risk classifications, and summary\nstderr: Beautiful Markdown risk report\n\nStep 2: Interpret the JSON\n\nParse the JSON output. Key fields:\n\n{\n \"overall_risk\": \"🔴 CRITICAL | 🔴 HIGH | 🟡 MODERATE | 🟢 LOW\",\n \"summary\": {\n \"create\": 5,\n \"update\": 3,\n \"destroy\": 1,\n \"replace\": 0\n },\n \"risk_breakdown\": {\n \"critical\": 1,\n \"dangerous\": 0,\n \"moderate\": 2,\n \"safe\": 5\n },\n \"resources\": [\n {\n \"address\": \"aws_iam_role.admin\",\n \"action\": \"delete\",\n \"risk\": \"🔴 CRITICAL\"\n }\n ]\n}\n\nStep 3: Present the Risk Assessment\n\nShow the Markdown report from stderr. Then add your own AI analysis:\n\nLead with the overall risk level — make it viscerally clear\nHighlight destroys and critical changes first — these are what kill production\nExplain WHY each critical change is dangerous in plain English\nAssess blast radius — what other resources depend on the destroyed ones?\nPresent the pre-apply checklist — what should the human verify?\nGive a clear recommendation: \"Safe to apply\" / \"Review needed\" / \"DO NOT APPLY without ___\"\n\nTone guidance for critical plans:\n\nDon't be polite about danger. If a plan destroys a production database, say so bluntly.\n\"This plan will permanently delete your RDS instance prod-db. All data will be lost. Do you have a backup?\"\nMake the \"oh shit\" moment impossible to miss." }, { "title": "For State Inspection (\"show me state\", \"what's managed\", \"state drift\")", "body": "bash /scripts/tf-plan-review.sh state \"\" \n\nThe filter is optional — it greps resource addresses. Examples:\n\nbash /scripts/tf-plan-review.sh state \"iam\" . → all IAM resources\nbash /scripts/tf-plan-review.sh state \"aws_instance\" . → all EC2 instances\nbash /scripts/tf-plan-review.sh state \"\" . → all resources" }, { "title": "For Validation (\"validate config\", \"check syntax\")", "body": "bash /scripts/tf-plan-review.sh validate \n\nReports configuration errors and warnings without running a plan." }, { "title": "Environment Variables", "body": "VariableDefaultDescriptionTF_BINARYauto-detectOverride binary: terraform, tofu, or a pathTF_PLAN_TIMEOUT600Timeout for terraform plan in seconds\n\nThe script auto-detects terraform first, then tofu. Set TF_BINARY=tofu to force OpenTofu." }, { "title": "Error Handling", "body": "SituationBehaviorterraform/tofu not foundJSON error with install links for bothjq not foundJSON error with install linkNo .tf files in directoryJSON error: \"No Terraform configuration files found\"Not initializedAuto-runs terraform init (for plan) or terraform init -backend=false (for validate)Plan fails (provider errors)Extracts error from plan JSON diagnostics, reports itPlan timeoutProcess killed after TF_PLAN_TIMEOUT secondsState not foundJSON error explaining no state existsEmpty stateReports \"State is empty — no managed resources\"" }, { "title": "Safety — CRITICAL RULES", "body": "NEVER run terraform apply — not even with -auto-approve, not even with -target, not even \"just this one resource\". NEVER.\nNEVER run terraform destroy — not under any circumstances.\nNEVER run terraform import — this modifies state.\nNEVER run terraform taint or terraform untaint — these modify state.\nNEVER run terraform state mv, terraform state rm, or terraform state push — these modify state.\nNever expose cloud credentials — if they appear in plan output, redact them.\nHandle sensitive values — Terraform marks values as (sensitive). Never try to reveal them.\nNever cache or store plan output — plans can contain secrets in resource attributes.\nThe ONLY terraform commands this skill runs are: plan, show, state list, state show, validate, init, providers.\n\nIf the user asks you to apply a plan, respond:\n\n\"I can analyze and assess Terraform plans, but I cannot apply them. Applying infrastructure changes requires human review and explicit execution. Based on my analysis, here's what you should verify before running terraform apply...\"" }, { "title": "\"Is this plan safe to apply?\"", "body": "Run the plan analysis. If overall_risk is 🟢 LOW:\n\n\"This plan looks safe. It creates X new resources with no destroys or security changes. The pre-apply checklist is straightforward.\"\n\nIf overall_risk is 🔴 CRITICAL:\n\n\"⚠️ This plan has CRITICAL risk. [Explain specific dangers]. I strongly recommend review by another team member before applying.\"" }, { "title": "\"What will be destroyed?\"", "body": "Run plan, then filter for action == \"delete\" or action == \"replace\". Present each with:\n\nResource address\nResource type\nWhy it matters (is it stateful? does it have data?)\nWhat depends on it" }, { "title": "\"What IAM changes are in this plan?\"", "body": "Run plan, then filter resources matching IAM patterns. For each:\n\nWhat permission is changing\nIs it adding or removing access\nIs it overly permissive (e.g., Action: *)" }, { "title": "\"Show me the blast radius\"", "body": "Run plan, identify all destroys/replaces, then explain:\n\nWhat other resources reference the destroyed ones\nWhat will break when the resource is gone\nWhether Terraform will auto-fix the dependencies or if manual intervention is needed" }, { "title": "Discord v2 Delivery Mode (OpenClaw v2026.2.14+)", "body": "When the conversation is happening in a Discord channel:\n\nSend a compact first summary (overall risk, destroy count, critical resources), then ask if the user wants the full report.\nKeep the first response under ~1200 characters and avoid large Markdown tables in the first message.\nIf Discord components are available, include quick actions:\n\nShow Critical Changes\nShow Destroyed Resources\nShow Pre-Apply Checklist\n\n\nIf components are not available, provide the same follow-ups as a numbered list.\nPrefer short follow-up chunks (<=15 lines per message) for large plans." }, { "title": "Sensitive Data Handling", "body": "Terraform plan JSON may contain sensitive values. The script does NOT extract resource attribute values — it only extracts resource addresses, types, and actions. However, when presenting results:\n\nNever show attribute values marked (sensitive) by Terraform\nNever show provider credentials or backend configuration secrets\nIf a user asks \"what value is changing?\", explain that you can see the change type but sensitive values are redacted by Terraform for security\nNever store or cache plan output files" } ], "body": "Terraform Plan Analyzer & Risk Assessor\n\nAnalyze terraform plan output and produce an AI-powered risk assessment of every infrastructure change — before you press apply.\n\nThis skill is STRICTLY READ-ONLY. It runs terraform plan and terraform validate to analyze changes, but it NEVER runs terraform apply, terraform destroy, terraform import, terraform taint, or any command that modifies infrastructure or state.\n\nActivation\n\nThis skill activates when the user mentions:\n\n\"terraform plan\", \"tf plan\", \"review plan\", \"plan review\"\n\"is this plan safe\", \"safe to apply\", \"risk assessment\"\n\"what will be destroyed\", \"what changes\", \"terraform changes\"\n\"terraform state\", \"state drift\", \"drift detection\"\n\"terraform validate\", \"validate config\", \"tf validate\"\n\"IAM changes\", \"security group changes\", \"infrastructure changes\"\n\"blast radius\", \"cascade effects\", \"dependencies\"\n\"tofu plan\", \"opentofu\" (same workflow, different binary)\nExample Prompts\n\"Review this terraform plan before I apply\"\n\"What will be destroyed in this plan?\"\n\"Is this plan safe to apply?\"\n\"Show me the state drift\"\n\"What IAM changes are in this plan?\"\n\"Validate my terraform config in ~/infra/prod\"\n\"Run a risk assessment on the terraform plan in /deployments/staging\"\n\"What's the blast radius if I apply this plan?\"\nPermissions\npermissions:\n exec: true # Required to run terraform/tofu CLI\n read: true # Read .tf files and plan output\n write: false # NEVER writes — strictly read-only analysis\n network: true # terraform plan needs provider API access\n\nTerraform Change Types — What the Agent Must Know\n\nUnderstanding Terraform change types is critical for accurate risk assessment:\n\nAction Types (from plan JSON)\nAction\tMeaning\tRisk Profile\ncreate\tNew resource being added\tGenerally safe (unless IAM/security)\nupdate\tExisting resource modified in-place\tModerate (depends on what's changing)\ndelete\tResource being permanently destroyed\tDANGEROUS — data loss risk\nreplace (delete + create)\tResource must be destroyed and recreated\tDANGEROUS — downtime + data loss\nread\tData source being refreshed\tSafe (read-only)\nno-op\tNo changes needed\tSafe\nWhat Makes a Change Dangerous\n\nCritical (🔴 CRITICAL):\n\nAny destroy/replace of: IAM roles/policies, security groups, KMS keys, secrets, databases (RDS, DynamoDB, Cloud SQL, Azure SQL), S3 buckets, DNS records, WAF rules, CloudTrail\nAny update to IAM policies, security group rules, encryption settings\nThese changes can cause data loss, security breaches, or service outages\n\nDangerous (🟠 DANGEROUS):\n\nDestroy/replace of: EC2 instances, load balancers, ECS/EKS clusters, VPCs, subnets, NAT gateways, Lambda functions, API gateways\nThese changes cause downtime and may require manual intervention to recover\n\nModerate (🟡 MODERATE):\n\nUpdates to: autoscaling policies, monitoring/alerting rules, launch templates\nCreates of: security-sensitive resources (new IAM roles, new security groups)\nChanges that affect capacity or observability but not data integrity\n\nSafe (🟢 SAFE):\n\nTag-only updates\nCreating new non-sensitive resources\nNo-op / read operations\nReplace is Especially Dangerous\n\nWhen Terraform says it must \"replace\" a resource, it means:\n\nDelete the existing resource (irreversible)\nCreate a new one with the new configuration\n\nThis is triggered when an immutable attribute changes (e.g., changing RDS engine_version, EC2 ami, changing a subnet's AZ). The agent should always flag replaces prominently because:\n\nThe old resource (and its data) is destroyed\nThere will be a gap between destroy and create (downtime)\nDependent resources may break during the transition\nAgent Workflow\n\nFollow this sequence exactly based on user intent:\n\nFor Plan Analysis (\"review this plan\", \"is it safe\", \"what changes\")\nStep 1: Run Plan Analysis\nbash /scripts/tf-plan-review.sh plan \n\n\nIf no directory specified, use the current working directory.\n\nThe script outputs:\n\nstdout: Structured JSON with all resource changes, risk classifications, and summary\nstderr: Beautiful Markdown risk report\nStep 2: Interpret the JSON\n\nParse the JSON output. Key fields:\n\n{\n \"overall_risk\": \"🔴 CRITICAL | 🔴 HIGH | 🟡 MODERATE | 🟢 LOW\",\n \"summary\": {\n \"create\": 5,\n \"update\": 3,\n \"destroy\": 1,\n \"replace\": 0\n },\n \"risk_breakdown\": {\n \"critical\": 1,\n \"dangerous\": 0,\n \"moderate\": 2,\n \"safe\": 5\n },\n \"resources\": [\n {\n \"address\": \"aws_iam_role.admin\",\n \"action\": \"delete\",\n \"risk\": \"🔴 CRITICAL\"\n }\n ]\n}\n\nStep 3: Present the Risk Assessment\n\nShow the Markdown report from stderr. Then add your own AI analysis:\n\nLead with the overall risk level — make it viscerally clear\nHighlight destroys and critical changes first — these are what kill production\nExplain WHY each critical change is dangerous in plain English\nAssess blast radius — what other resources depend on the destroyed ones?\nPresent the pre-apply checklist — what should the human verify?\nGive a clear recommendation: \"Safe to apply\" / \"Review needed\" / \"DO NOT APPLY without ___\"\n\nTone guidance for critical plans:\n\nDon't be polite about danger. If a plan destroys a production database, say so bluntly.\n\"This plan will permanently delete your RDS instance prod-db. All data will be lost. Do you have a backup?\"\nMake the \"oh shit\" moment impossible to miss.\nFor State Inspection (\"show me state\", \"what's managed\", \"state drift\")\nbash /scripts/tf-plan-review.sh state \"\" \n\n\nThe filter is optional — it greps resource addresses. Examples:\n\nbash /scripts/tf-plan-review.sh state \"iam\" . → all IAM resources\nbash /scripts/tf-plan-review.sh state \"aws_instance\" . → all EC2 instances\nbash /scripts/tf-plan-review.sh state \"\" . → all resources\nFor Validation (\"validate config\", \"check syntax\")\nbash /scripts/tf-plan-review.sh validate \n\n\nReports configuration errors and warnings without running a plan.\n\nEnvironment Variables\nVariable\tDefault\tDescription\nTF_BINARY\tauto-detect\tOverride binary: terraform, tofu, or a path\nTF_PLAN_TIMEOUT\t600\tTimeout for terraform plan in seconds\n\nThe script auto-detects terraform first, then tofu. Set TF_BINARY=tofu to force OpenTofu.\n\nError Handling\nSituation\tBehavior\nterraform/tofu not found\tJSON error with install links for both\njq not found\tJSON error with install link\nNo .tf files in directory\tJSON error: \"No Terraform configuration files found\"\nNot initialized\tAuto-runs terraform init (for plan) or terraform init -backend=false (for validate)\nPlan fails (provider errors)\tExtracts error from plan JSON diagnostics, reports it\nPlan timeout\tProcess killed after TF_PLAN_TIMEOUT seconds\nState not found\tJSON error explaining no state exists\nEmpty state\tReports \"State is empty — no managed resources\"\nSafety — CRITICAL RULES\nNEVER run terraform apply — not even with -auto-approve, not even with -target, not even \"just this one resource\". NEVER.\nNEVER run terraform destroy — not under any circumstances.\nNEVER run terraform import — this modifies state.\nNEVER run terraform taint or terraform untaint — these modify state.\nNEVER run terraform state mv, terraform state rm, or terraform state push — these modify state.\nNever expose cloud credentials — if they appear in plan output, redact them.\nHandle sensitive values — Terraform marks values as (sensitive). Never try to reveal them.\nNever cache or store plan output — plans can contain secrets in resource attributes.\nThe ONLY terraform commands this skill runs are: plan, show, state list, state show, validate, init, providers.\n\nIf the user asks you to apply a plan, respond:\n\n\"I can analyze and assess Terraform plans, but I cannot apply them. Applying infrastructure changes requires human review and explicit execution. Based on my analysis, here's what you should verify before running terraform apply...\"\n\nCommon Patterns & Agent Tips\n\"Is this plan safe to apply?\"\n\nRun the plan analysis. If overall_risk is 🟢 LOW:\n\n\"This plan looks safe. It creates X new resources with no destroys or security changes. The pre-apply checklist is straightforward.\"\n\nIf overall_risk is 🔴 CRITICAL:\n\n\"⚠️ This plan has CRITICAL risk. [Explain specific dangers]. I strongly recommend review by another team member before applying.\"\n\n\"What will be destroyed?\"\n\nRun plan, then filter for action == \"delete\" or action == \"replace\". Present each with:\n\nResource address\nResource type\nWhy it matters (is it stateful? does it have data?)\nWhat depends on it\n\"What IAM changes are in this plan?\"\n\nRun plan, then filter resources matching IAM patterns. For each:\n\nWhat permission is changing\nIs it adding or removing access\nIs it overly permissive (e.g., Action: *)\n\"Show me the blast radius\"\n\nRun plan, identify all destroys/replaces, then explain:\n\nWhat other resources reference the destroyed ones\nWhat will break when the resource is gone\nWhether Terraform will auto-fix the dependencies or if manual intervention is needed\nDiscord v2 Delivery Mode (OpenClaw v2026.2.14+)\n\nWhen the conversation is happening in a Discord channel:\n\nSend a compact first summary (overall risk, destroy count, critical resources), then ask if the user wants the full report.\nKeep the first response under ~1200 characters and avoid large Markdown tables in the first message.\nIf Discord components are available, include quick actions:\nShow Critical Changes\nShow Destroyed Resources\nShow Pre-Apply Checklist\nIf components are not available, provide the same follow-ups as a numbered list.\nPrefer short follow-up chunks (<=15 lines per message) for large plans.\nSensitive Data Handling\n\nTerraform plan JSON may contain sensitive values. The script does NOT extract resource attribute values — it only extracts resource addresses, types, and actions. However, when presenting results:\n\nNever show attribute values marked (sensitive) by Terraform\nNever show provider credentials or backend configuration secrets\nIf a user asks \"what value is changing?\", explain that you can see the change type but sensitive values are redacted by Terraform for security\nNever store or cache plan output files\nPowered by Anvil AI 🔍" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/tkuehnl/tf-plan-review", "publisherUrl": "https://clawhub.ai/tkuehnl/tf-plan-review", "owner": "tkuehnl", "version": "0.2.1", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/tf-plan-review", "downloadUrl": "https://openagent3.xyz/downloads/tf-plan-review", "agentUrl": "https://openagent3.xyz/skills/tf-plan-review/agent", "manifestUrl": "https://openagent3.xyz/skills/tf-plan-review/agent.json", "briefUrl": "https://openagent3.xyz/skills/tf-plan-review/agent.md" } }