400-frameworks-quarkus-create-project

Pass

Audited by Gen Agent Trust Hub on Jul 11, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes multiple shell commands to manage software development kits and generate project code, including sdk, quarkus, and the Maven wrapper ./mvnw.
  • Evidence: Instructions in references/400-frameworks-quarkus-create-project.md specify running quarkus create app and mvn clean verify.
  • [EXTERNAL_DOWNLOADS]: The skill uses SDKMAN to download and install Java and the Quarkus CLI from remote repositories.
  • Evidence: Step 2 and 3 in references/400-frameworks-quarkus-create-project.md describe using sdk install java <version> and sdk install quarkus <version> to set up the environment.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes user-supplied data such as group IDs, artifact IDs, and project names, which are then used to build shell commands, creating a vulnerability surface if the inputs contain malicious instructions.
  • Ingestion points: User-provided inputs for project coordinates (group, artifact, version), package names, and Quarkus extensions in references/400-frameworks-quarkus-create-project.md Step 4.
  • Boundary markers: There are no explicit delimiters or specific instructions to the agent to sanitize or ignore embedded instructions within these user-provided strings.
  • Capability inventory: The skill has the capability to execute shell commands (quarkus create) and modify the local filesystem.
  • Sanitization: No explicit validation or escaping logic is defined for the variables before they are interpolated into the final shell command string.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 11, 2026, 05:56 PM