ClawHub

Spring Boot Engineer

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Spring Boot coding skill with ordinary framework examples and no evidence of hidden execution, data theft, or destructive behavior.

Reasonable to install as a Spring Boot reference skill. Treat its snippets as examples, not production-ready defaults: keep secrets in environment or secret-management systems, review CORS and JWT settings, and harden tracing by reducing sampling and excluding PII, tokens, request bodies, or other sensitive values from spans.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list uses very broad technology terms like 'Spring Boot', 'Spring Framework', and 'Java REST API', which can cause this skill to be invoked for many loosely related requests outside its intended specialist scope. In an agent system, over-broad invocation increases the chance that this implementation-focused skill is selected inappropriately, potentially displacing safer or more relevant skills and leading to poor security guidance or unintended action in unrelated contexts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The tracing configuration sets sampling.probability to 1.0, causing all requests to be traced and exported to Zipkin. In real Spring applications, spans often include request metadata, headers, IDs, and operational details; full sampling significantly increases the chance of sensitive or regulated data being captured and exposed through telemetry systems, especially when the example provides no warning or data-minimization guidance.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The custom span example records request-derived attributes into telemetry without any caution about sensitive-data handling. Even seemingly harmless fields like order type or item counts can become privacy-relevant when combined with trace IDs and other metadata, and developers may imitate this pattern with directly user-controlled values such as emails, account IDs, or payload contents.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal