Back to skill

Security audit

maven-plugin-configuration

Security checks across malware telemetry and agentic risk

Overview

This Maven configuration guide is mostly legitimate, but it includes copyable examples that can rewrite project version files and make future builds run a shell script without adequate safety guidance.

Install only if you want an agent to help edit Maven build configuration. Apply suggestions on a clean branch, review POM diffs, and do not use the exec-maven-plugin bash example unless the referenced script is trusted and intentionally allowed to run in local and CI builds.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill includes an exec-maven-plugin example that runs `bash` against a project-local script during `generate-sources`, which normalizes subprocess execution inside the build without any warning, trust boundary discussion, or constraints. In a build-configuration skill, this is risky because users may copy the pattern into CI or local builds and unintentionally permit arbitrary script execution from the repository.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The documentation recommends `versions:update-properties`, `versions:use-latest-releases`, and `versions:update-parent` without stating that these commands modify `pom.xml` and can introduce broad dependency changes. This can lead users to make large, potentially destabilizing supply-chain changes without review, pinning strategy, backups, or dry-run guidance.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The exec-maven-plugin example launches a shell script as part of the Maven lifecycle but does not warn that builds will spawn subprocesses and execute repository content. In practice, this increases the chance that a user copies the configuration into an automated environment where an unreviewed script can run with developer or CI privileges.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.