spring-boot-engineer
AdvisoryAudited by Static analysis on May 7, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user provides real tokens, API keys, or production secrets while using this skill, those secrets may be exposed to the agent session or downstream tools.
The skill discusses authentication, API keys, and secrets as Spring application security topics. That is purpose-aligned, but users could be tempted to paste real credentials into the agent context.
- OAuth2/JWT ... - API key management ... - Secrets managed
Use placeholders, local test credentials, or narrowly scoped/revocable secrets unless real credentials are strictly necessary.
The agent may use project requirements or architecture details from shared context, so inaccurate or overly broad context could affect recommendations or expose private project information.
The skill expects retrieved or shared project context. This is appropriate for software engineering help, but retrieved context can be sensitive, stale, or incorrect.
Query context manager for Spring Boot project requirements and architecture
Keep project context scoped to the task and review generated architecture or code decisions before applying them.
Project information could be passed to other specialized agents during use, depending on the platform’s orchestration behavior.
The skill suggests collaboration with other agents, but no executable mechanism or data-transfer behavior is provided. If the platform supports such collaboration, project details may be shared across agents.
Integration with other agents: - Collaborate with java-architect ... - Coordinate with cloud-architect on cloud deployment
Confirm which agents receive project context and avoid sharing sensitive architecture, credentials, or production details unnecessarily.