Java Security Audit - AI驱动的Java代码审计

Security checks across malware telemetry and agentic risk

Overview

This Java audit skill is purpose-aligned, but it will read project code, write audit reports, and may look up dependency versions online.

Install only for codebases you are allowed to scan. Run it in a controlled workspace, review the generated audit-output files because they may contain sensitive code snippets or secrets, avoid online dependency lookups for private projects unless acceptable, and double-check remediation guidance before applying it, especially the XStream advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill clearly directs the agent to read the repository and persist multiple audit artifacts to disk, but the metadata does not declare those capabilities or warn the user about them. Undeclared file read/write behavior weakens consent and policy enforcement, and in a security-audit context it can expose sensitive source code and create files unexpectedly in the user's workspace.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to perform external web searches on dependency names and versions, which adds network egress beyond local code review. That can leak sensitive technology-stack details about internal projects to third-party services and expands the attack surface if users expected an offline/local-only audit workflow.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: This rule set is labeled as configuration security, but the referenced rules trigger on the mere presence of components such as Nacos, Sentinel, Dubbo, or ActiveMQ rather than on an actually insecure setting. That creates systematic false positives in a security auditing skill, which can mislead users, dilute trust in high-severity findings, and bury real issues under noisy output.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: Multiple rules in this section report 'configuration security' issues based solely on API or framework usage in Java code, such as creating FreeMarker, XStream, Hessian, Drools, or controller/template constructs, without establishing unsafe configuration or attacker control. In a security audit skill, this overbroad behavior is dangerous because it produces large volumes of misleading findings and may cause analysts to miss genuine exploitable conditions.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The XStream rule warns that broad deserialization is dangerous, but its remediation recommends `AnyTypePermission`, which effectively permits deserialization of arbitrary classes and undermines the warning. In a security-focused skill, incorrect remediation is especially hazardous because users may apply the suggested 'fix' and directly weaken deserialization security, potentially enabling RCE paths.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The regex uses a capturing group in re.findall, so it returns only the extension values ('java' or 'kt') instead of full file paths. As a result, reviewed_files never matches actual_files, causing incorrect coverage calculations and potentially letting a security audit workflow make bad gating decisions or miss unreviewed code.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The Chinese invocation example uses a very generic phrase to trigger the skill, which can overlap with normal user conversation and cause unintended activation. In an agent environment, broad triggers increase the chance the skill runs on unrelated inputs or is invoked by prompt content embedded in untrusted data, expanding the attack surface.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The English example 'Help me audit this Java project: /path/to/project' is common conversational language rather than a narrowly scoped command. This makes accidental or adversarial triggering more likely, especially if user-supplied content, logs, or retrieved documents are interpreted as agent instructions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill states that intermediate results and audit outputs will be persisted to files, but does not clearly notify the user in advance. In a code-audit setting, those files may contain sensitive code excerpts, dependency data, or vulnerability findings, creating confidentiality and workspace-integrity risks if written without explicit consent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill requires external searches for vulnerability intelligence using dependency names and versions, but does not tell the user that project metadata will be transmitted over the network. For private enterprise codebases, dependency inventories can reveal internal architecture, patch posture, and high-value targets, making this materially risky.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal