Security audit

java&vue代码生成

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Java/Vue project generator, but its generated database templates use unsafe production-style defaults that users should review before use.

Review generated configuration before running it, especially Docker Compose and application.yml files. Replace default database passwords, avoid root/postgres superuser accounts for the app, remove public database port mappings unless needed locally, enable appropriate transport security, and create lockfiles/audit dependencies before deploying anything generated by this skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Natural-Language Policy Violations

Low

Confidence: 98% confidence
Finding: The template hard-codes a production profile and default root database credentials ('root' / 'password'), and also disables SSL while enabling allowPublicKeyRetrieval. If deployed as-is, it creates an easily guessable database configuration, increases the chance of unauthorized access, and normalizes insecure defaults in an environment labeled as production.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal