managing-keycloak
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides numerous administrative shell commands for managing Keycloak across multiple reference files, including the use of kcadm.sh, docker, and helm.
- [COMMAND_EXECUTION]: Instructions in DEPLOYMENT.md and CUSTOMIZATION.md include commands to restart system services (systemctl restart keycloak) and modify protected system directories (/opt/keycloak/providers/), which typically requires root or administrative privileges.
- [EXTERNAL_DOWNLOADS]: DEPLOYMENT.md references the download of Docker images (jboss/keycloak) and Helm charts (codecentric/keycloak) from well-known public registries for the purpose of service deployment.
- [CREDENTIALS_UNSAFE]: Technical examples in DEPLOYMENT.md and references contain default or weak credentials such as admin/admin and keycloak/password, which must be updated in secure environments.
- [REMOTE_CODE_EXECUTION]: CUSTOMIZATION.md provides Java source code templates and build instructions (mvn clean package) for creating Service Provider Interface (SPI) extensions that run within the Keycloak environment. One example includes a placeholder return value that could inadvertently bypass authentication logic if not properly implemented.
Audit Metadata