Skills
skills/github/awesome-copilot/create-spring-boot-java-project/Gen Agent Trust Hub

create-spring-boot-java-project

Pass

Audited by Gen Agent Trust Hub on Feb 25, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill downloads a project skeleton from the official Spring Initializr service at https://start.spring.io/starter.zip. This is a well-known and trusted technology service for Java project generation.
  • [COMMAND_EXECUTION]: The skill performs standard project initialization shell operations, including unzipping archive files, navigating directories, and executing the Maven wrapper (./mvnw) to run tests.
  • [PROMPT_INJECTION]: The skill uses the variable ${input:projectName} which is interpolated directly into shell commands (unzip and cd). This constitutes an indirect prompt injection surface where unvalidated user input could potentially influence command execution.
  • Ingestion points: The projectName input variable used in the unzip and cd commands in SKILL.md.
  • Boundary markers: No delimiters or explicit instructions to ignore embedded content are present in the command templates.
  • Capability inventory: Shell command execution via unzip and cd across the workflow.
  • Sanitization: No sanitization, escaping, or validation logic for the user-provided variable is visible within the skill instructions.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 25, 2026, 05:25 AM