ClawHub
Back to skill

Security audit

springboot-unit-testing

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Spring Boot testing skill with disclosed local helper scripts, but users should keep its generated SQL and database examples isolated to test environments.

Install only if you want Spring Boot testing templates and local helper scripts. Review scripts before running them, run Maven and generated SQL only in trusted project checkouts, and use H2/Testcontainers or another disposable test database instead of a persistent localhost MySQL database.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises only unit-testing guidance, but the content explicitly references shell commands, file packaging, report generation, and creation of files/scripts without any declared permissions boundary. That mismatch can cause an agent or user to allow filesystem and shell-capable behavior implicitly, increasing the chance of unintended command execution, file modification, or repository changes.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose is test-writing assistance, but the skill also describes generating files, running Maven, parsing reports, and scanning directories for analysis. This broader operational behavior exceeds the stated scope, which is dangerous because users and calling systems may trust it as a low-risk content-generation skill while it performs actions that touch the filesystem, execute commands, and inspect project contents.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.