ClawHub

Auth0 Springboot Api

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Auth0 Spring Boot API setup guide, with disclosed account/configuration steps and no executable payload, but users should handle Auth0 secrets carefully.

Install if you want an agent to help configure Auth0 for a Spring Boot API. Before using automated setup, confirm the Auth0 CLI is logged into the intended tenant and review any local configuration changes. Use placeholders only in examples; keep real client secrets and access tokens out of source control, shell history, CI logs, screenshots, and chat transcripts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs the agent to follow an automated setup path that writes values into `application.yml` without requiring a clear, immediate user-facing warning that local project files will be modified. In an agent setting, this creates a real risk of unintended file changes, configuration drift, or overwriting existing settings, especially if the user only asked for guidance rather than permission to mutate the workspace.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide includes a client credentials example that places a client secret directly on the command line and in a shell payload without warning that the secret must be protected. This can leak sensitive credentials via shell history, process listings, CI logs, copied documentation snippets, or screenshots, enabling unauthorized token minting against the API.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal