400-frameworks-quarkus-create-project
Pass
Audited by Gen Agent Trust Hub on Jul 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill executes multiple shell commands to manage software development kits and generate project code, including
sdk,quarkus, and the Maven wrapper./mvnw. - Evidence: Instructions in
references/400-frameworks-quarkus-create-project.mdspecify runningquarkus create appandmvn clean verify. - [EXTERNAL_DOWNLOADS]: The skill uses SDKMAN to download and install Java and the Quarkus CLI from remote repositories.
- Evidence: Step 2 and 3 in
references/400-frameworks-quarkus-create-project.mddescribe usingsdk install java <version>andsdk install quarkus <version>to set up the environment. - [INDIRECT_PROMPT_INJECTION]: The skill processes user-supplied data such as group IDs, artifact IDs, and project names, which are then used to build shell commands, creating a vulnerability surface if the inputs contain malicious instructions.
- Ingestion points: User-provided inputs for project coordinates (group, artifact, version), package names, and Quarkus extensions in
references/400-frameworks-quarkus-create-project.mdStep 4. - Boundary markers: There are no explicit delimiters or specific instructions to the agent to sanitize or ignore embedded instructions within these user-provided strings.
- Capability inventory: The skill has the capability to execute shell commands (
quarkus create) and modify the local filesystem. - Sanitization: No explicit validation or escaping logic is defined for the variables before they are interpolated into the final shell command string.
Audit Metadata