Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

arbazkhan971/infra

Name: infra
Author: arbazkhan971

skills/infra/SKILL.md

npx skillsauth add arbazkhan971/godmode infra

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Infra — Infrastructure as Code

Activate When

User invokes /godmode:infra
User says "terraform plan", "provision infrastructure"
User says "check drift", "estimate costs"
Deployment requires new cloud resources

Workflow

Step 1: Discover Infrastructure Context

# Detect IaC tool
ls *.tf template.yaml Pulumi.yaml cdk.json \
  2>/dev/null

# Check state backend
grep -r 'backend\s*"s3"\|backend\s*"gcs"' *.tf \
  2>/dev/null

# List existing resources
terraform state list 2>/dev/null | head -20

INFRASTRUCTURE CONTEXT:
IaC Tool: Terraform | CloudFormation | Pulumi | CDK
Provider: AWS | GCP | Azure | Multi-cloud
State: S3 | GCS | Azure Blob | Terraform Cloud | Local
Environments: dev | staging | production

IF no IaC detected: scaffold new project
IF state is local: migrate to remote immediately
IF no policy checks: add OPA/Sentinel

Step 2: Validate Infrastructure

# Terraform validation
terraform fmt -check -recursive
terraform validate
terraform init -backend=false
terraform plan -out=tfplan

# CloudFormation validation
aws cloudformation validate-template \
  --template-body file://template.yaml
cfn-lint template.yaml

# Pulumi / CDK
pulumi preview --diff
cdk synth && cdk diff

Step 3: Security & Policy Enforcement

POLICY CHECKLIST:
  [ ] No public S3 buckets or storage
  [ ] No SGs with 0.0.0.0/0 on sensitive ports
  [ ] Encryption at rest on all data stores
  [ ] TLS 1.2+ enforced in transit
  [ ] No hardcoded secrets in IaC
  [ ] IAM least-privilege (no * actions)
  [ ] All resources tagged: env, team, cost-center
  [ ] VPC flow logs enabled
  [ ] CloudTrail / audit logging enabled

THRESHOLDS:
  CRITICAL: public data store, leaked secrets, * IAM
  HIGH: missing encryption, no tags, no audit logs
  MEDIUM: suboptimal instance type, missing flow logs
  IF any CRITICAL: block deployment immediately

Step 4: Cost Estimation

# Infracost for Terraform
infracost breakdown --path .
infracost diff --path . \
  --compare-to infracost-base.json

COST ESTIMATE:
| Resource                  | Monthly  | Change   |
|---------------------------|----------|----------|
| aws_instance.api (t3.lg)  | $60.74   | NEW      |
| aws_rds.primary (r5.lg)   | $172.80  | —        |
| aws_elasticache.redis      | $48.62   | NEW      |
| TOTAL                      | $306.73  | +$109.36 |

THRESHOLDS:
  IF cost delta > 20% of current: require approval
  IF monthly > budget ceiling: suggest optimizations
  IF cost per request > $0.01: investigate alternatives

Step 5: Drift Detection

# Terraform drift
terraform plan -detailed-exitcode
# Exit 0=no changes, 1=error, 2=drift detected

# CloudFormation drift
aws cloudformation detect-stack-drift \
  --stack-name <stack>

DRIFT REPORT:
  In sync: 14/16 resources
  Drifted: 2/16 resources
  IF drift found in security group: investigate ASAP
  IF drift found in instance type: update IaC or revert

Step 6: IaC Testing

# Unit tests (Terratest)
cd test/ && go test -v -timeout 30m

# Integration tests
terraform apply -auto-approve -var-file=test.tfvars
./scripts/infra-integration-test.sh
terraform destroy -auto-approve -var-file=test.tfvars

# Compliance (InSpec)
inspec exec profiles/cloud-security --target aws://

Step 7: Deployment Plan

DEPLOYMENT PLAN — <environment>:
  CREATE: <N> resources
  UPDATE: <N> resources
  DELETE: <N> resources
  UNCHANGED: <N> resources

SAFETY:
  IF any DELETE: require manual confirmation
  IF > 5 resources changing: deploy in stages
  IF database resource changing: take snapshot first

Step 8: Apply & Verify

terraform apply tfplan
terraform output -json > outputs.json

# Post-deployment health check
curl -s -o /dev/null -w "%{http_code}" \
  https://api.example.com/health

Commit: "infra: <description> — <N> resources (<cost delta>)"

Key Behaviors

Never ask to continue. Loop autonomously until done.

Never apply without a plan. Review first.
Policy is mandatory. Every change checked.
Cost awareness. Estimate with every change.
Drift is a bug. Detect and reconcile.
State is sacred. Never modify manually.
Environments isolated. Separate state/creds.
Secrets never in IaC. Use secret managers.

HARD RULES

Never apply without reviewing plan output.
Never hardcode secrets in IaC files.
Never use local state in production.
Never use * in IAM policies.
Never skip resource tagging (env, team, cost-center).
Never share state between environments.
Never modify state files manually.
Always run policy checks before deployment.
Always include cost estimation with changes.
Always encrypt at rest and in transit (TLS 1.2+).

Auto-Detection

1. IaC: *.tf, template.yaml, Pulumi.yaml, cdk.json
2. Provider: aws/google/azurerm blocks
3. State: backend "s3"/"gcs"/"azurerm"

Quality Targets

Target: <5min for infrastructure plan generation
Target: 0 drift between declared and actual state
Cost estimate accuracy: >=90% vs actual spend
Target: <15min for full environment provisioning

Output Format

Print: Infra: {resources} resources, {modules} modules. Drift: {status}. Security: {violations}. Cost: ${monthly}/mo. Verdict: {verdict}.

TSV Logging

iteration	provider	resources	drift	policy_violations	status

Keep/Discard Discipline

KEEP if: plan shows expected changes
  AND policy passes AND cost within budget
DISCARD if: unexpected destroys OR policy violations
  OR cost exceeds threshold

Stop Conditions

STOP when ANY of:
  - All environments validated
  - All policy violations resolved
  - User requests stop
  - CRITICAL violation needs architectural change

Error Recovery

Unexpected destroys: check state, use terraform state mv.
State lock stuck: force-unlock only if holder dead.
Drift in prod: investigate, import or revert.
Cost exceeds budget: check over-provisioned resources.

arbazkhan971/infra

skills/infra/SKILL.md

Infrastructure as Code skill. Terraform, CloudFormation, Pulumi, CDK. IaC testing, cost estimation, drift detection, policy enforcement. Triggers on: /godmode:infra, "terraform plan", "provision infrastructure", "infrastructure review".

9 stars

development

Updated Apr 17, 2026

$ install --global

skillsauth

npx skillsauth add arbazkhan971/godmode infra

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 17, 2026, 3:15 AM4.7s1 file scanned

SKILL.md

name:: infra
description:: |
/godmode:: infra, "terraform plan", "provision

Infra — Infrastructure as Code

Activate When

User invokes /godmode:infra
User says "terraform plan", "provision infrastructure"
User says "check drift", "estimate costs"
Deployment requires new cloud resources

Workflow

Step 1: Discover Infrastructure Context

# Detect IaC tool
ls *.tf template.yaml Pulumi.yaml cdk.json \
  2>/dev/null

# Check state backend
grep -r 'backend\s*"s3"\|backend\s*"gcs"' *.tf \
  2>/dev/null

# List existing resources
terraform state list 2>/dev/null | head -20

INFRASTRUCTURE CONTEXT:
IaC Tool: Terraform | CloudFormation | Pulumi | CDK
Provider: AWS | GCP | Azure | Multi-cloud
State: S3 | GCS | Azure Blob | Terraform Cloud | Local
Environments: dev | staging | production

IF no IaC detected: scaffold new project
IF state is local: migrate to remote immediately
IF no policy checks: add OPA/Sentinel

Step 2: Validate Infrastructure

# Terraform validation
terraform fmt -check -recursive
terraform validate
terraform init -backend=false
terraform plan -out=tfplan

# CloudFormation validation
aws cloudformation validate-template \
  --template-body file://template.yaml
cfn-lint template.yaml

# Pulumi / CDK
pulumi preview --diff
cdk synth && cdk diff

Step 3: Security & Policy Enforcement

POLICY CHECKLIST:
  [ ] No public S3 buckets or storage
  [ ] No SGs with 0.0.0.0/0 on sensitive ports
  [ ] Encryption at rest on all data stores
  [ ] TLS 1.2+ enforced in transit
  [ ] No hardcoded secrets in IaC
  [ ] IAM least-privilege (no * actions)
  [ ] All resources tagged: env, team, cost-center
  [ ] VPC flow logs enabled
  [ ] CloudTrail / audit logging enabled

THRESHOLDS:
  CRITICAL: public data store, leaked secrets, * IAM
  HIGH: missing encryption, no tags, no audit logs
  MEDIUM: suboptimal instance type, missing flow logs
  IF any CRITICAL: block deployment immediately

Step 4: Cost Estimation

# Infracost for Terraform
infracost breakdown --path .
infracost diff --path . \
  --compare-to infracost-base.json

COST ESTIMATE:
| Resource                  | Monthly  | Change   |
|---------------------------|----------|----------|
| aws_instance.api (t3.lg)  | $60.74   | NEW      |
| aws_rds.primary (r5.lg)   | $172.80  | —        |
| aws_elasticache.redis      | $48.62   | NEW      |
| TOTAL                      | $306.73  | +$109.36 |

THRESHOLDS:
  IF cost delta > 20% of current: require approval
  IF monthly > budget ceiling: suggest optimizations
  IF cost per request > $0.01: investigate alternatives

Step 5: Drift Detection

# Terraform drift
terraform plan -detailed-exitcode
# Exit 0=no changes, 1=error, 2=drift detected

# CloudFormation drift
aws cloudformation detect-stack-drift \
  --stack-name <stack>

DRIFT REPORT:
  In sync: 14/16 resources
  Drifted: 2/16 resources
  IF drift found in security group: investigate ASAP
  IF drift found in instance type: update IaC or revert

Step 6: IaC Testing

# Unit tests (Terratest)
cd test/ && go test -v -timeout 30m

# Integration tests
terraform apply -auto-approve -var-file=test.tfvars
./scripts/infra-integration-test.sh
terraform destroy -auto-approve -var-file=test.tfvars

# Compliance (InSpec)
inspec exec profiles/cloud-security --target aws://

Step 7: Deployment Plan

DEPLOYMENT PLAN — <environment>:
  CREATE: <N> resources
  UPDATE: <N> resources
  DELETE: <N> resources
  UNCHANGED: <N> resources

SAFETY:
  IF any DELETE: require manual confirmation
  IF > 5 resources changing: deploy in stages
  IF database resource changing: take snapshot first

Step 8: Apply & Verify

terraform apply tfplan
terraform output -json > outputs.json

# Post-deployment health check
curl -s -o /dev/null -w "%{http_code}" \
  https://api.example.com/health

Commit: "infra: <description> — <N> resources (<cost delta>)"

Key Behaviors

Never ask to continue. Loop autonomously until done.

Never apply without a plan. Review first.
Policy is mandatory. Every change checked.
Cost awareness. Estimate with every change.
Drift is a bug. Detect and reconcile.
State is sacred. Never modify manually.
Environments isolated. Separate state/creds.
Secrets never in IaC. Use secret managers.

HARD RULES

Never apply without reviewing plan output.
Never hardcode secrets in IaC files.
Never use local state in production.
Never use * in IAM policies.
Never skip resource tagging (env, team, cost-center).
Never share state between environments.
Never modify state files manually.
Always run policy checks before deployment.
Always include cost estimation with changes.
Always encrypt at rest and in transit (TLS 1.2+).

Auto-Detection

1. IaC: *.tf, template.yaml, Pulumi.yaml, cdk.json
2. Provider: aws/google/azurerm blocks
3. State: backend "s3"/"gcs"/"azurerm"

Quality Targets

Target: <5min for infrastructure plan generation
Target: 0 drift between declared and actual state
Cost estimate accuracy: >=90% vs actual spend
Target: <15min for full environment provisioning

Output Format

Print: Infra: {resources} resources, {modules} modules. Drift: {status}. Security: {violations}. Cost: ${monthly}/mo. Verdict: {verdict}.

TSV Logging

iteration	provider	resources	drift	policy_violations	status

Keep/Discard Discipline

KEEP if: plan shows expected changes
  AND policy passes AND cost within budget
DISCARD if: unexpected destroys OR policy violations
  OR cost exceeds threshold

Stop Conditions

STOP when ANY of:
  - All environments validated
  - All policy violations resolved
  - User requests stop
  - CRITICAL violation needs architectural change

Error Recovery

Unexpected destroys: check state, use terraform state mv.
State lock stuck: force-unlock only if holder dead.
Drift in prod: investigate, import or revert.
Cost exceeds budget: check over-provisioned resources.

Related Skills

arbazkhan971/webperf

development

VerifiedTrustedCommunity

Web performance optimization. Lighthouse, bundle analysis, code splitting, image optimization, critical CSS, fonts, service workers, CDN.

10SKILL.mdUpdated Apr 26, 2026

arbazkhan971/webhook

development

VerifiedTrustedCommunity

Webhook design, delivery, retry, HMAC verification, event subscriptions, dead letter queues.

10SKILL.mdUpdated Apr 26, 2026

arbazkhan971/vue

development

VerifiedTrustedCommunity

Vue.js mastery. Composition API, Pinia, Vue Router, Nuxt SSR/SSG, Vite optimization, testing.

10SKILL.mdUpdated Apr 26, 2026

arbazkhan971/verify

development

VerifiedTrustedCommunity

Evidence gate. Run command, read full output, confirm or deny claim. No trust, only proof.

10SKILL.mdUpdated Apr 26, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/arbazkhan971/godmode.git

# Copy into Claude Code skills folder (global)
cp -r godmode/skills/infra ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

arbazkhan971/godmode

9 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT