java&vue代码生成
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches a Java/Vue project generator, but its generated production-style Docker/database templates use known default passwords and exposed database ports.
Before installing or using this skill, plan to review the generated code and configuration. Change all default database passwords, avoid root database users, close public database ports, create lockfiles, and audit dependencies before running or deploying the generated project.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user deploys the generated project without changing these values, the database could be reachable with a well-known password.
The generated production-profile compose template exposes MySQL on the host using the root user and a hardcoded default password. This is an unsafe default for a skill that presents its output as production-ready.
SPRING_PROFILES_ACTIVE=prod ... SPRING_DATASOURCE_USERNAME=root ... SPRING_DATASOURCE_PASSWORD=password ... ports: - "3306:3306"
Treat generated Docker and database configs as local-development examples only; require unique secrets, non-root database users, and non-public database ports before any production use.
Installing the generated project may pull newer dependency versions with different behavior or vulnerabilities.
The generated frontend uses third-party npm packages with version ranges. This is normal for project scaffolding, but dependency resolution risk shifts to the generated project.
"dependencies": { "vue": "^3.4.0", "vue-router": "^4.2.0", "pinia": "^2.1.0", "axios": "^1.6.0" }Generate and commit lockfiles, review dependencies, and run package audits before relying on the generated application.