bughunt
Warn
Audited by Socket on Jun 13, 2026
2 alerts found:
SecurityAnomalySecuritySKILL.md
MEDIUMSecurityMEDIUM
SKILL.md
AnomalyREADME.md
LOWAnomalyLOW
README.md
This snippet does not include inspectable logic; it triggers remote code execution via `npx` by installing and registering an external `av/skills` “bughunt” skill. The primary risk is supply-chain execution without explicit version/integrity pinning. Malware cannot be verified from the fragment alone, but the command structure makes it essential to review the resolved package contents (including install/postinstall scripts) and monitor its network/filesystem/process behavior during execution.
Confidence: 100%Severity: 60%
Audit Metadata