本技能用于分析 Java 微服务项目中 Controller 层的完整调用链路，能够自动追溯到 Service、Mapper、Repository 层，并提取完整的 SQL 语句。最终生成结构化的 JSON 文件，便于 API 文档生成、代码审计或架构理解。

Security checks across malware telemetry and agentic risk

Overview

This skill reads a Java project to document controller call chains and writes a local JSON report, with no evidence of hidden execution or data sharing.

Install this only for Java projects where you are comfortable with the agent reading controller, service, mapper, repository, and SQL files. Keep the generated JSON report in a trusted location because it may contain internal API paths, business logic, and database query details.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 92% confidence
Finding: The skill explicitly states it will generate a JSON file and automatically create the output directory, but it does not clearly warn users that running the skill modifies the local filesystem. In an agent context, undisclosed write behavior can surprise users, overwrite expected locations, or be combined with untrusted path input to create unintended files.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal