spring-boot-project-creator

This skill is consistent with its stated purpose (bootstrapping Spring Boot projects). It uses official sources (start.spring.io, official Docker images) and writes expected local files (project sources, docker-compose, .env). The primary security concerns are operational: it generates weak default credentials, exposes database ports on the host by default, and includes a development-only JPA setting (ddl-auto=update) that can be dangerous if misapplied to production. There is no evidence of malicious intent or data-exfiltration behavior in the provided content, but the download-execute pattern and default insecure settings justify a moderate security risk rating and caution when using the generated scaffold beyond isolated local development.