create-keystore
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTION
Full Analysis
- [CREDENTIALS_UNSAFE] (MEDIUM): The skill provides examples for non-interactive keystore generation using
-storepassand-keypassflags with plain-text placeholders. Passing passwords as command-line arguments is insecure because they are recorded in shell history files (e.g., .bash_history) and are visible to other users on the system via process monitoring tools. - [COMMAND_EXECUTION] (MEDIUM): The skill is centered around executing
keytoolvia the shell. If an agent uses these templates to execute commands based on unvalidated user input, it creates a risk for command injection or unauthorized filesystem modification. - [DATA_EXPOSURE] (LOW): The skill suggests storing signing credentials in
gradle.propertiesandbuild.gradlefiles. While it includes a 'Security Best Practices' section advising against committing these to Git, these patterns are a common source of accidental credential leaks in Android development. - [EXTERNAL_DOWNLOADS] (INFO): An automated scanner flagged 'proguard-rules.pro' as a malicious URL. This is likely a false positive as it is a standard configuration filename in Android development; however, users should ensure the content of such files is from a trusted source.
Recommendations
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata