jarvis-mission-control
Audited by Socket on Jun 26, 2026
3 alerts found:
Anomalyx2Obfuscated FileSUSPICIOUS: the overall purpose is plausible, but the skill materially understates its footprint. It directs execution of remote repo code and npm dependencies, mixes publisher identity between MissionDeck.ai and a personal GitHub account, describes outbound integrations despite 'data_local_only' claims, and includes transitive skill installation guidance. No confirmed credential theft or overtly malicious payload is shown, but the documentation is internally inconsistent enough to warrant caution.
SUSPICIOUS: the skill is broadly aligned with a mission-control dashboard, but its footprint is larger than a simple monitoring tool. Local session-file reading, browser-based file editing, CLI execution, webhook delivery, cloud API-key flows, and transitive skill installation create medium risk even though there is no clear evidence of malware or hidden exfiltration.
The fragment indicates a strengthened security posture with path traversal protections and XSS mitigations, culminating in production readiness. No explicit malware or backdoors are evidenced in the narrative, but definitive verification requires access to the actual codebase, test artifacts, and execution logs. Deployment should pair these controls with robust authentication, access controls, and network restrictions given open bindings. Overall, the report presents a credible hardening effort, though the evidence is not independently verifiable from the fragment alone.