octocode-install
Warn
Audited by Socket on Jun 18, 2026
1 alert found:
AnomalyAnomalySKILL.md
LOWAnomalyLOW
SKILL.md
SUSPICIOUS. The skill’s purpose matches its installer behavior, but it relies on unpinned npx execution, forwards GitHub credentials to third-party package code, and performs transitive skill installation. This is more consistent with a risky installer than overt malware; use only if the Octocode npm packages and publisher are independently verified.
Confidence: 79%Severity: 67%
Audit Metadata