spring-boot-security-jwt
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFECOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (CRITICAL): An automated scanner (URLite) detected the presence of a phishing URL (now.ge) within the skill's operational context. This represents a significant security risk for credential theft and redirection to malicious sites.
- [CREDENTIALS_UNSAFE] (LOW): The script 'assets/generate-jwt-keys.sh' uses hardcoded default passwords ('changeit') for keystore and private key generation. Additionally, 'scripts/test-jwt-setup.sh' contains hardcoded test credentials ('test@example.com' and 'TestPassword123!'). Users are warned to change these, but their inclusion as defaults poses a risk if not updated before deployment.
- [COMMAND_EXECUTION] (SAFE): The skill uses standard shell commands and tools including 'curl', 'openssl', 'keytool', and 'jq' to facilitate JWT configuration and validation testing. These operations are restricted to local environment variables and well-known local endpoints.
Recommendations
- AI detected serious security threats
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata