yp

Warn

Audited by Socket on Jul 13, 2026

3 alerts found:

Anomalyx3
AnomalyLOW
SKILL.md

SUSPICIOUS: overall purpose and capabilities mostly align, and the declared package install path appears proportionate for a developer CLI. Main concerns are transitive skill installation, credential forwarding through the external `yp` CLI to AI providers, and broad real-world write actions (git push, PR/work-item mutation, deletion) that exceed a read-only helper profile. No clear evidence of credential theft, hidden exfiltration, or fundamentally incompatible behavior was provided.

Confidence: 82%Severity: 62%
AnomalyLOW
Providers/AiProviders.cs

No clear malicious/backdoor behavior is evident in this code fragment; it behaves like a legitimate AI API client with local config/model caching. However, there are meaningful security hygiene and configuration risks: (1) Gemini API keys are included in the URL query string, increasing leakage likelihood, and (2) baseUrl/customBaseUrl are used without strict allowlisting, so tampering with ~/.yitpush/config.json or providing a malicious customBaseUrl could redirect requests to attacker-controlled endpoints while credentials are attached (credential exfiltration risk).

Confidence: 65%Severity: 55%
AnomalyLOW
Commands/SkillCommand.cs

No explicit malicious/stealth behavior is evident in this fragment. However, it performs a high-impact supply-chain operation: it uses `npx` to non-interactively install a third-party package by name without visible version/integrity pinning. This creates a meaningful risk that upstream package changes or compromise could lead to arbitrary code execution during installation. Additional assessment requires reviewing the implementations of `RunCommandCapture`/`RunCommandPassthrough` and any package/skills security controls elsewhere in the project.

Confidence: 65%Severity: 67%
Audit Metadata
Analyzed At
Jul 13, 2026, 04:42 PM
Package URL
pkg:socket/skills-sh/elvisbrevi%2Fyitpush%2Fyp%2F@2a246e552e35d6f195d57ba7ba9347472ad78e8d
Security Audit — socket — yp