Skills
skills/allenai/asta-plugins/workspace/Socket

workspace

Warn

Audited by Socket on May 12, 2026

1 alert found:

Anomaly
AnomalyLOW
assets/devcontainer.json

No direct malicious code is visible in this configuration snippet. However, it creates a meaningful supply-chain risk by automatically running an unpinned npm package (`skills@latest`) via `npx --yes` during container creation and by using an unpinned container image tag (`...:latest`). Additionally, it injects ASTA_TOKEN into the container environment, which could amplify impact if any installed package/plugin is malicious. Recommended mitigations: pin the npm package and container image to exact versions/digests, verify integrity, and minimize/avoid passing sensitive tokens into build-time provisioning steps.

Confidence: 100%Severity: 60%
Audit Metadata
Analyzed At
May 12, 2026, 06:47 AM
Package URL
pkg:socket/skills-sh/allenai%2Fasta-plugins%2Fworkspace%2F@d9f38aac49b2e83ef61c3bcf3a3c4f2a61b3f842
Security Audit — socket — workspace