Control: severity -1 important A malicious Gradle build file executes arbitrary code and can trivially cause harm to the system, with completion enabled or not. I'm downgrading the severity because gradle-completion doesn't deserve to be removed, the blame is on the user fetching and building an untrusted project.