when-creating-slash-commands-use-slash-command-encoder
Warn
Audited by Socket on Jun 26, 2026
1 alert found:
AnomalyAnomalyPROCESS.md
LOWAnomalyLOW
PROCESS.md
No explicit malicious payload is visible in the provided bash snippet. However, the workflow repeatedly executes an unpinned `npx claude-flow@alpha` tool, generates executable JavaScript, builds a bundle, installs it, and then runs an analysis step against local code. Without version pinning and artifact integrity verification, the dominant risk is supply-chain compromise (malicious or changed upstream tool generating/installable code), rather than obvious in-script malware.
Confidence: 64%Severity: 62%
Audit Metadata