get-brand-assets

Warn

Audited by Socket on Jul 2, 2026

1 alert found:

Anomaly
AnomalyLOW
SKILL.md

SUSPICIOUS: The skill's purpose is coherent, but its data flow is not direct. It reads a raw local API key and sends requests through a Gooseworks proxy rather than the official downstream API path, and it includes an unverified `npx` login/install step. This looks more like a managed gateway integration than malware, but the proxy routing and configurable `api_base` create meaningful credential and data-flow risk.

Confidence: 84%Severity: 64%
Audit Metadata
Analyzed At
Jul 2, 2026, 06:17 AM
Package URL
pkg:socket/skills-sh/athina-ai%2Fgoose-skills%2Fget-brand-assets%2F@41f2c713fb6602091ca4e5cdc5c61065fee87492712a65542aa553c222c2fa5c
Security Audit — socket — get-brand-assets