skills/developerscoffee/java-cwe-security-skills/Java CWE Security Skills Collection/Gen Agent Trust Hub
Java CWE Security Skills Collection
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill documentation provides various shell command patterns using
grep(e.g.,grep -rn "Runtime.getRuntime().exec") intended to help users and AI agents identify vulnerable code segments within a Java project. These are legitimate security auditing tools. - [CREDENTIALS_UNSAFE]: Instructional examples in several
SKILL.mdfiles (such ascwe-798-hardcoded-credentialsandcwe-259-hardcoded-password) include hardcoded string literals for passwords and API keys (e.g.,sk-1234567890abcdef). These are explicitly used as negative examples within 'Vulnerable Pattern' sections to teach AI agents how to recognize and remediate such insecure practices. - [EXTERNAL_DOWNLOADS]: The
README.mdand installation guides suggest the use of thenpx skillscommand to download the skill collection from the author's GitHub repository, and provide links to the official MITRE CWE database for reference.
Audit Metadata