skill-manager

Warn

Audited by Socket on May 20, 2026

1 alert found:

Anomaly
AnomalyLOW
scripts/install.sh

This bash fragment is primarily a deployment/installer utility with no clear direct malware (no exfiltration, backdoor, or obvious credential theft) in the shown code. However, it carries meaningful supply-chain risk: it fetches arbitrary GitHub content without integrity/provenance verification and installs it into a directory likely used by other tooling, while also creating symlinks to user-controlled filesystem paths and executing local helper scripts (record.py/security.py) if present. The actual malware probability depends heavily on the contents of record.py/security.py and the downstream consumer of the installed skills/commands.

Confidence: 62%Severity: 66%
Audit Metadata
Analyzed At
May 20, 2026, 04:25 AM
Package URL
pkg:socket/skills-sh/cat-xierluo%2Flegal-skills%2Fskill-manager%2F@5adc5854c6660ca2c8928f0c5812b260c5e98181
Security Audit — socket — skill-manager