github-release-management

Warn

Audited by Socket on Jun 14, 2026

2 alerts found:

Anomalyx2
AnomalyLOW
references/workflows.md

No explicit malicious payloads (e.g., backdoors, exfiltration endpoints, reverse shells) are evident in the provided snippet. However, it introduces significant supply-chain and CI integrity risk by repeatedly executing a mutable `npx claude-flow@alpha` package in privileged release/publish workflows that access GitHub and npm credentials. If that orchestrator is compromised or unexpectedly changes, it could tamper with releases/artifacts or misuse publishing credentials. Mitigate by pinning exact versions/commit hashes, verifying provenance/signatures of the invoked packages, reducing workflow permissions to the minimum needed, and tightening artifact generation/validation boundaries before publishing.

Confidence: 100%Severity: 60%
AnomalyLOW
SKILL.md

SUSPICIOUS: the core gh-based release workflow is coherent and mostly benign, but the skill meaningfully expands trust to third-party orchestration tooling and mutable npx/@alpha execution for real-world deploy/publish actions. No clear credential theft or exfiltration is present, yet the install/execution trust and action impact justify medium risk.

Confidence: 100%Severity: 60%
Audit Metadata
Analyzed At
Jun 14, 2026, 06:41 AM
Package URL
pkg:socket/skills-sh/frankxai%2Fclaude-skills-library%2Fgithub-release-management%2F@31861348cf85fc01cb79bf10f85a021e586c0c686f81ee7d135df7ff02ff9cea
Security Audit — socket — github-release-management