oma-hwp

Warn

Audited by Socket on Jun 13, 2026

1 alert found:

Anomaly
AnomalyLOW
SKILL.md

SUSPICIOUS: the skill’s purpose and local file access are coherent for document conversion, and there is no obvious credential theft or exfiltration path. However, its core behavior relies on executing unpinned third-party npm code (`bunx kordoc@latest`) and additional resource dependencies, which creates a disproportionate supply-chain risk for an AI skill even though the capability fits the stated purpose.

Confidence: 100%Severity: 60%
Audit Metadata
Analyzed At
Jun 13, 2026, 12:19 PM
Package URL
pkg:socket/skills-sh/gracefullight%2Fstock-checker%2Foma-hwp%2F@8520b1d6b1ab3ee638c091f9423a294dbc32f697fe6e22ac70267111bae57cbd
Security Audit — socket — oma-hwp