ClawHub

spring-to-solon-skill

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Spring-to-Solon migration guide with some unsafe copy-paste examples, but no evidence of hidden execution or data collection.

Install only as a migration reference, not as production security guidance. Review generated code before applying it, replace all sample credentials and JWT secrets with environment or secret-manager values, avoid automatic DDL updates in production, and harden file upload/download handlers with safe filenames, path normalization, allowlists, and storage outside the web root.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (8)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document includes realistic-looking plaintext secrets such as a database password and JWT secret directly in sample configuration without clearly labeling them as placeholders or warning against copying them into production. In a migration guide, readers may reuse these examples verbatim, normalizing insecure secret handling and increasing the chance that credentials are committed to source control or deployed unchanged.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The development-environment example continues to show plaintext usernames and passwords with no guidance on safe credential storage. Even though these are presented as dev settings, such patterns are often copied into real projects and can lead to accidental exposure through repositories, logs, or shared config files.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Solon-side migration example repeats the insecure pattern by embedding plaintext passwords and a JWT secret in the post-migration configuration. Because this is a framework migration guide, the unsafe example may be interpreted as recommended Solon practice, spreading insecure secret management into migrated applications.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The Solon development configuration also contains plaintext credentials and omits any security warning or safer pattern. While the context is documentation rather than executable code, documentation strongly influences implementation choices, so this can propagate weak practices across multiple projects.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document includes hard-coded database passwords such as `123456` in configuration examples without clearly labeling them as placeholders or warning readers not to reuse them. In a migration guide, readers may copy these snippets directly into real deployments, leading to weak credentials and accidental credential exposure in source control or shared configs.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The JPA example sets `hibernate.hbm2ddl.auto: update` without warning that automatic schema mutation can cause unintended changes, drift, or data integrity issues in non-development environments. In migration documentation, this is especially risky because users may apply the sample during production cutovers where schema changes should be controlled and reviewed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The upload examples save a user-controlled filename directly to /uploads/ via transferTo(new File("/uploads/" + originalName)) without sanitizing the name, generating a safe server-side filename, or warning about overwrite and path traversal risks. In a migration guide, readers may copy this verbatim into production code, enabling attackers to overwrite files or write outside the intended directory if filename handling is unsafe.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The download examples build a filesystem path directly from a path parameter ("/uploads/" + filename) and then return the file if it exists, with no normalization, allowlisting, or warning about path traversal. If copied into real applications, an attacker could request crafted filenames such as ../ sequences to access arbitrary readable files on the server.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal