create-spring-boot-java-project
Pass
Audited by Gen Agent Trust Hub on Apr 28, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: Downloads a project archive from the well-known Spring Initializr service (https://start.spring.io). This is the standard official source for Spring Boot project templates.
- [COMMAND_EXECUTION]: Executes several shell commands to extract the project, manage files, and run tests via the Maven wrapper.
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by interpolating user-provided input (projectName) directly into shell commands. Ingestion points: '${input:projectName}' in SKILL.md. Boundary markers: None present. Capability inventory: unzip, cd, rm, and ./mvnw execution. Sanitization: None detected.
- [CREDENTIALS_UNSAFE]: Configures local development databases with default hardcoded passwords ('rootroot'). These are intended for the local Docker environments created by the skill and do not expose existing system secrets, but they represent a practice of hardcoding credentials in generated configuration.
Audit Metadata