last30days
Audited by Socket on Jul 8, 2026
3 alerts found:
Anomalyx2MalwareSUSPICIOUS. The skill's overall purpose and capabilities are mostly coherent for a multi-source research agent, and there is no clear evidence of malware or credential theft. However, it has a fairly broad execution/data footprint, forwards credentials to several providers, includes vendored third-party code, and processes large volumes of untrusted external content while retaining Bash and Write permissions, which creates medium security risk.
This code fragment is strongly consistent with local Firefox cookie extraction: it discovers and targets cookies.sqlite under user profile directories, optionally copies sidecar files to facilitate database access, and constructs/filters cookie records by host/name/expiry before returning structured cookies containing the actual cookie values. Even though explicit network exfiltration is not shown in this snippet, the capability and output sensitivity are high and are commonly associated with session/cookie theft. Review the surrounding module for parameterization, caller authorization, and any downstream handling (storage/transmission/redaction).
SUSPICIOUS. The core research/watchlist purpose is plausible, and most local storage and API-key use fit that purpose, but the X path is inconsistent: Bird CLI is an unofficial third-party tool using private endpoints/cookie auth instead of official X APIs. Combined with delegated hidden logic in unseen references/scripts and unpinned external tooling, this skill has medium risk with notable credential and data-flow concerns, but not enough evidence for confirmed malware.