springboot-standardizer
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is mostly a coherent SpringBoot project-structure helper, but its Redis template includes a known unsafe Java deserialization pattern that should be reviewed before use.
This skill appears intended for SpringBoot project analysis and scaffolding, and its local file access is consistent with that purpose. Before using generated code, especially the Redis configuration, review and replace the broad Jackson default-typing serializer with a safer serialization approach.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user applies this generated Redis configuration in a real application, it may increase the chance of deserialization-based attacks against that application.
The generated RedisConfig template enables broad Jackson polymorphic default typing with a permissive validator. In Java applications, this is a known unsafe deserialization pattern if untrusted or attacker-controlled data can enter Redis/cache values.
mapper.activateDefaultTyping(LaissezFaireSubTypeValidator.instance, ObjectMapper.DefaultTyping.NON_FINAL, JsonTypeInfo.As.PROPERTY);
Avoid Jackson default typing for Redis values unless strictly necessary. Prefer typed DTO serializers, String/JSON serializers without polymorphic type metadata, or a tightly restricted PolymorphicTypeValidator.
The script will inspect local project files and write a report in the selected project directory.
The skill asks the user or agent to run local helper scripts against a chosen project path. This is central to the stated project-analysis purpose, but users should ensure the path is the intended project.
python scripts/analyze_project.py <项目路径>
Run it only on projects you intend to analyze, and review generated reports or files before committing or deploying them.
Installation may appear dependency-free even though using the helper scripts requires a Python runtime.
The registry metadata declares no required binaries, while the usage instructions rely on running Python scripts. This is an under-declared runtime expectation, not evidence of malicious behavior.
Required binaries (all must exist): none
Confirm Python is available and review the included scripts before running them.