Back to skill

Security audit

xfg-ddd-skills

Security checks across malware telemetry and agentic risk

Overview

This is a coherent DDD scaffolding and deployment skill, but it needs Review because it can lead agents into file generation, Docker changes, and database initialization with weak safety controls.

Install only if you want an agent to scaffold Java DDD projects and provide deployment commands. Before use, explicitly confirm the target directory, run the script interactively, review generated files, replace every sample password, avoid root database credentials, and never run initialization SQL or docker stop/rm commands against production or existing data without backups and a clear rollback plan.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The skill insists that project creation must never proceed without asking the user for a target path, yet later includes hard-coded user-specific local paths in deployment examples. In an agent setting, contradictory guidance can normalize unsafe path assumptions and increase the chance of writing to or operating on unintended local directories.

Context-Inappropriate Capability

Low
Confidence
91% confidence
Finding
The document exposes direct file:// paths to the author's local workstation, which leaks unnecessary host-specific information such as username, directory structure, and local project layout. In a skill package, this can disclose environment details and may encourage consumers or downstream agents to rely on local-file access patterns outside the skill's stated DDD/infrastructure documentation purpose.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The document provides a generic outbound HTTP gateway that accepts arbitrary URLs and parameter maps, enabling server-side requests to attacker-controlled destinations if copied into an agent-accessible implementation. In a DDD/infrastructure template, this is broader than necessary and can normalize unsafe patterns that lead to SSRF, internal network access, data exfiltration, or use of the host as a proxy.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The HTTP callback example posts JSON to a caller-supplied URL without any visible destination validation or trust boundary controls. If adopted in real services, this can let untrusted input trigger outbound requests to arbitrary systems, creating SSRF risk and potentially leaking internal data through callback responses or side effects.

Context-Inappropriate Capability

Low
Confidence
94% confidence
Finding
The document embeds developer-local file:// paths that disclose a specific workstation directory structure and username-like identifier. While not directly exploitable on their own, such paths leak environment-specific information and can aid reconnaissance, social engineering, or accidental propagation of sensitive internal filesystem details when the skill is shared.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The README advertises very broad natural-language activation phrases such as creating projects, deployment, build, and operations tasks without clear confirmation boundaries. In an agent skill, this can cause over-triggering on ordinary conversation and lead the assistant to initiate code generation or operational guidance in contexts the user did not explicitly intend.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The example phrase '帮我创建一个 DDD 项目' is a vague, generic request that could match many benign conversations about architecture or examples. Because the skill supports project generation and related actions, ambiguous invocation increases the risk of unintended activation and downstream file creation or environment-changing behavior.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The deployment section includes commands that start containers, build images, and initialize a database using root credentials and SQL redirection, but it does not warn that these actions modify the local environment and may overwrite or corrupt existing data. In a skill context, operational instructions without explicit safety gates are dangerous because an assistant may present or automate them for the wrong project, host, or database instance.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list contains broad operational terms such as deploy/build/start/stop/restart/environment configuration, which can cause the skill to activate on generic requests unrelated to this specific package. In a skill that includes deployment and container-management instructions, accidental activation raises the risk of unintended operational guidance or execution in the wrong context.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The generic trigger '新建项目' is broad enough to match many unrelated user intents. Because this skill can lead into scaffold generation and deployment workflows, an ambiguous trigger increases the chance of invoking code-generation behavior when the user did not intend this specific framework or template.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The start/stop scripts unconditionally run 'docker stop' and 'docker rm' against a named container without requiring a warning, confirmation, or state check. In an agent-assisted environment, this can cause destructive service interruption or data loss if run against production or a reused container name.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The database initialization commands execute SQL directly against MySQL using root credentials and provide no warning that this modifies database state. In deployment contexts, such instructions can overwrite schema or seed data in the wrong environment if an agent or user follows them without explicit confirmation.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The deployment guide hardcodes default credentials such as `MYSQL_ROOT_PASSWORD: root123` and `RABBITMQ_DEFAULT_PASS: admin123`, and reuses them throughout compose files and commands. In a DevOps deployment skill, users may copy these values directly into real environments, enabling trivial unauthorized access, lateral movement, and full compromise of databases or message brokers exposed on standard ports.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The docker-compose example hardcodes `MYSQL_ROOT_PASSWORD: 123456`, which encourages insecure defaults and may lead users to deploy a database with a trivial root credential. In the context of a deployment skill, this is more dangerous because users are likely to copy the example directly into real environments, exposing administrative access if the service is reachable.

Natural-Language Policy Violations

Low
Confidence
91% confidence
Finding
These locale-specific file:// references hard-code one developer's filesystem layout into shared guidance, which can reveal internal development practices and host-specific details to users who should not need them. In this DDD/deployment skill context, the references are unnecessary to functionality, so their presence increases the likelihood of accidental information disclosure rather than serving a justified operational purpose.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.