create-spring-boot-kotlin-project

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt contains explicit plaintext credentials (e.g., redis/postgres/mongo usernames and passwords like "root"/"rootroot") and instructs the agent to insert them into config files and docker-compose, which requires the LLM to output secret values verbatim.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill runs a runtime curl to fetch https://start.spring.io/starter.zip which provides project source/build files the user then unzips and builds/runs (via Gradle), meaning remote code is fetched at runtime and can be executed locally.