spring-boot-full-stack
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE] (MEDIUM): The database migration file
src/main/resources/db/migration/V1__init_schema.sqlcontains a hardcoded administrator account ('admin') with a known pre-computed BCrypt password hash (representing 'admin123'). This creates a significant security risk if the template is deployed to any environment without manual modification of the migration scripts.\n- [CREDENTIALS_UNSAFE] (LOW): Thesrc/main/resources/application.ymlfile contains a default hardcoded JWT secret (mySecretKeyFor...). While labeled as a placeholder, its inclusion in a functional configuration increases the risk of accidental deployment with insecure settings.\n- [CREDENTIALS_UNSAFE] (LOW): TheMakefilecontains targets that pass database passwords as plain-text command-line arguments to the Flyway CLI (e.g.,-Dflyway.password=postgres). This practice exposes the credentials to any user on the system who can view the process list.\n- [PROMPT_INJECTION] (LOW): The skill's 'OpenSpec' workflow processes untrusted data from specification files to generate application logic, which is susceptible to indirect prompt injection.\n - Ingestion points: The agent is instructed to read requirements and change proposals from files within the
openspec/directory.\n - Boundary markers: Absent. There are no instructions for the agent to treat these specifications as untrusted data or to ignore instructions embedded within them.\n
- Capability inventory: The agent has the capability to write executable Java code, create database schema migrations, and modify critical security configurations.\n
- Sanitization: Absent. No validation mechanism is in place to verify specifications for malicious intent before the agent acts upon them.
Audit Metadata