last30days

Fail

Audited by Socket on Jul 8, 2026

3 alerts found:

Anomalyx2Malware
AnomalyLOW
SKILL.md

SUSPICIOUS. The skill's overall purpose and capabilities are mostly coherent for a multi-source research agent, and there is no clear evidence of malware or credential theft. However, it has a fairly broad execution/data footprint, forwards credentials to several providers, includes vendored third-party code, and processes large volumes of untrusted external content while retaining Bash and Write permissions, which creates medium security risk.

Confidence: 84%Severity: 62%
MalwareHIGH
scripts/lib/vendor/bird-search/node_modules/@steipete/sweet-cookie/dist/providers/firefoxSqlite.js

This code fragment is strongly consistent with local Firefox cookie extraction: it discovers and targets cookies.sqlite under user profile directories, optionally copies sidecar files to facilitate database access, and constructs/filters cookie records by host/name/expiry before returning structured cookies containing the actual cookie values. Even though explicit network exfiltration is not shown in this snippet, the capability and output sensitivity are high and are commonly associated with session/cookie theft. Review the surrounding module for parameterization, caller authorization, and any downstream handling (storage/transmission/redaction).

Confidence: 56%Severity: 82%
AnomalyLOW
variants/open/SKILL.md

SUSPICIOUS. The core research/watchlist purpose is plausible, and most local storage and API-key use fit that purpose, but the X path is inconsistent: Bird CLI is an unofficial third-party tool using private endpoints/cookie auth instead of official X APIs. Combined with delegated hidden logic in unseen references/scripts and unpinned external tooling, this skill has medium risk with notable credential and data-flow concerns, but not enough evidence for confirmed malware.

Confidence: 85%Severity: 68%
Audit Metadata
Analyzed At
Jul 8, 2026, 04:54 PM
Package URL
pkg:socket/skills-sh/hardikpandya%2Flast-30-days%2Flast30days%2F@db75f9e3410df812fb68b95cd94e1381a589010c
Security Audit — socket — last30days