codeflow

Warn

Audited by Socket on Jun 27, 2026

2 alerts found:

Anomalyx2
AnomalyLOW
SKILL.md

SUSPICIOUS. The skill’s purpose and core capabilities are mostly coherent, and the upstream self-host instructions match the named CodeFlow project. However, trust is diluted by reliance on a third-party hosted frontend on a Vercel subdomain, unpinned `git clone` installation from a mutable branch, and transitive installation through `npx skills add`. This looks more like a legitimate but medium-risk wrapper than malware; the main concerns are supply-chain and trust-chain exposure rather than clear exfiltration.

Confidence: 86%Severity: 58%
AnomalyLOW
scripts/install.sh

This wrapper appears benign in its own logic (no credential theft, obfuscation, or exfiltration), but it carries a meaningful supply-chain risk: it clones/pulls unpinned remote repository content into a local directory and then immediately opens index.html in the user’s browser, which will execute whatever client-side code is present. The lack of commit/tag pinning or integrity verification and the ability to override CODEFLOW_REPO amplify the risk if upstream content or the environment is compromised.

Confidence: 70%Severity: 58%
Audit Metadata
Analyzed At
Jun 27, 2026, 04:58 AM
Package URL
pkg:socket/skills-sh/akillness%2Fjeo-skills%2Fcodeflow%2F@aa38d34bd1b275c8c4465c29fb192e50e6ee20671f0bd487d2d4bf28190fdb50
Security Audit — socket — codeflow