eliteforge-sonar-pmd-generator
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
docker runto manage SonarQube containers andmvnto build plugin artifacts. It also utilizescurlfor API-based verification and configuration.\n- [REMOTE_CODE_EXECUTION]: The core functionality involves generating Java source code from external specification documents, compiling it into a JAR file using Maven, and then executing that code within the SonarQube environment. This creates a significant attack surface for code injection if the input specifications are untrusted.\n- [EXTERNAL_DOWNLOADS]: Pulls thesonarqube:communityimage from Docker Hub, which is a well-known service but involves running external code locally.\n- [CREDENTIALS_UNSAFE]: The documentation and theverify_sonar_plugin.shscript refer to and utilize default credentials (admin:admin) for SonarQube administrative tasks, which is a poor security practice.
Audit Metadata