Back to skill
Skillv0.1.0
ClawScan security
Spring Boot Engineer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMay 1, 2026, 4:56 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5.5
- Summary
- This is an instruction-only Spring Boot coding guide, and the reported secret finding appears to be a JWT sample variable rather than a real exposed credential.
- Guidance
- This skill appears safe to use as documentation-driven coding assistance. As with any code-generation aid, review generated Spring Security, CORS, Actuator, JWT, and deployment settings before using them in production, and replace all example placeholders with properly managed configuration or secrets.
- Findings
[suspicious.exposed_secret_literal] expected: The finding is in Spring Security JWT sample documentation. The evidence `String accessToken = [REDACTED](convertToUserDetails(user));` appears to be an access-token generation assignment in example code, not a hardcoded token or exposed secret literal.
Review Dimensions
- Purpose & Capability
- okThe stated Spring Boot engineering purpose matches the included markdown references for web, data, security, cloud, and testing guidance.
- Instruction Scope
- okThe runtime instructions are limited to producing Spring Boot code/templates and architectural guidance; they do not instruct hidden execution, data collection, or unrelated actions.
- Install Mechanism
- okThere is no install spec, no required binaries, no required environment variables, and no runnable code files.
- Credentials
- okThe skill does not request local system, network, credential, or account access; example application placeholders are part of Spring Boot documentation.
- Persistence & Privilege
- okNo persistence, background workers, privilege escalation, credential storage, or autonomous account activity is evidenced in the artifacts.