oidc-hosted-page-java
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill references standard, well-known dependencies from the Spring Boot ecosystem, including spring-boot-starter-oauth2-client and spring-boot-starter-thymeleaf, which are fetched from official Maven or Gradle registries.
- [PROMPT_INJECTION]: The implementation creates a dashboard that displays OIDC user claims directly to the user, creating a potential surface for indirect prompt injection if the identity provider data is maliciously crafted.
- Ingestion points: Data enters the application context via the OidcUser object in DashboardController.java and is processed by the Thymeleaf template engine in dashboard.html.
- Boundary markers: There are no explicit delimiters or instructions provided to the agent to treat the ingested claims as untrusted data.
- Capability inventory: The skill allows for authentication and profile management but does not include scripts that execute system commands, access the local filesystem, or perform arbitrary network requests.
- Sanitization: The implementation leverages Thymeleaf's default th:text attribute for data binding, which provides automatic HTML escaping for the displayed content.
Audit Metadata