loop-ops

Warn

Audited by Socket on Jul 4, 2026

1 alert found:

Anomaly
AnomalyLOW
assets/examples/pr-watch/github-actions.yml

No explicit malicious payload is evident in the provided workflow fragment. However, the workflow creates a high-impact automation pathway with meaningful security/supply-chain exposure: it installs an external npm package at runtime without an explicit version pin in the shown command, runs an AI agent that can post PR comments and persist changes to the repository, and grants write permissions to both contents and pull requests. The effective safety therefore depends heavily on dependency integrity, immutability of repo-controlled prompt/state inputs, and the strictness/robustness of the tool allowlist enforcement.

Confidence: 60%Severity: 65%
Audit Metadata
Analyzed At
Jul 4, 2026, 07:01 PM
Package URL
pkg:socket/skills-sh/0xdarkmatter%2Fclaude-mods%2Floop-ops%2F@e0d431e7de7cdb10a3f8fc5f5bd4164caeb9654d69d580b2033a29ccfd931ad8
Security Audit — socket — loop-ops