Java Maven Code Review

Security checks across malware telemetry and agentic risk

Overview

This is a local Java/Maven review helper that reads a target project and writes a report, with no evidence of hidden data transfer, destructive behavior, or credential misuse.

Install only if you are comfortable letting the agent read the Java/Maven project you provide and create report files in your workspace. Treat the bundled script’s output as a first-pass heuristic review, not a complete assurance that naming, duplication, module-boundary, or maintainability issues were fully checked.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The skill promises review of ZIP archives and GitLab repositories and claims substantive Java/Maven analysis, but the implementation behavior described by the finding appears to rely on precomputed local inputs and superficial keyword checks. This mismatch can mislead users into trusting a report that did not actually inspect the supplied source, creating integrity risk, false assurance, and potential omission of serious code or configuration problems.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal