maven-central-publish

Security checks across malware telemetry and agentic risk

Overview

This Maven publishing guide is mostly legitimate, but users should review it because it stores publishing/signing secrets persistently and includes a default Maven mirror that changes dependency source behavior.

Install only if you are comfortable reviewing and editing Maven publishing configuration. Remove the Aliyun mirror unless you intentionally trust and need it, protect ~/.m2/settings.xml with restrictive permissions, never commit it, and consider Maven password encryption, environment variables, CI secrets, or a keychain for tokens and GPG passphrases.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill explicitly tells users to place both Central Portal credentials and a GPG passphrase into ~/.m2/settings.xml in plaintext, without warning about file permissions, secret exposure, or safer alternatives. This creates a realistic risk of credential theft via local compromise, backups, shell history, repo leakage, or CI artifact exposure, especially because the GPG passphrase protects signing identity as well as deployment access.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal