skills/giuseppe-trisciuoglio/developer-kit-claude-code/spring-boot-project-creator/Gen Agent Trust Hub
spring-boot-project-creator
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches project templates and dependencies from Spring Initializr (start.spring.io), a well-known service for the Java ecosystem.
- [COMMAND_EXECUTION]: Executes local shell commands to extract the downloaded project and run build verification. Evidence: Uses 'unzip' to extract the scaffold and './mvnw clean verify' to confirm the project structure is valid.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection via user-provided configuration parameters, though this is part of its core functionality. * Ingestion points: User input gathered via AskUserQuestion for Group ID, Artifact ID, and Package Name. * Boundary markers: Absent; user input is interpolated into curl commands and application property files. * Capability inventory: 'Bash' (used for curl and mvnw) and 'Write' (used to generate project files). * Sanitization: Absent; the skill does not explicitly validate or escape user-provided strings before use.
Audit Metadata