rallish-operator

Warn

Audited by Socket on May 18, 2026

2 alerts found:

AnomalySecurity
AnomalyLOW
scripts/install-binary.sh

No direct malicious behavior (e.g., credential theft, persistence, remote command execution, or data exfiltration) is evident in the shown script. The primary security concern is supply-chain integrity: the installer downloads and extracts an externally supplied release tarball and installs the contained executable without cryptographic verification (no hash/signature checks). If the upstream release artifact or download path is compromised, this script will faithfully install attacker-controlled code—potentially with elevated impact when targeting `/usr/local/bin`. Additional concerns include fragile JSON parsing for version resolution and non-explicitly hardened tar extraction, though extraction is confined to a temp directory.

Confidence: 66%Severity: 65%
SecurityMEDIUM
SKILL.md

SUSPICIOUS. The skill's rally orchestration purpose is plausible, but its actual footprint is wider than necessary: it installs an unpinned external binary, can install another skill transitively, and enables semi-autonomous command/code actions driven by another agent's notes. No direct credential theft is shown, but the install trust and untrusted-content-to-action paths make this a high-risk vulnerable skill rather than benign documentation.

Confidence: 84%Severity: 81%
Audit Metadata
Analyzed At
May 18, 2026, 09:18 PM
Package URL
pkg:socket/skills-sh/jazz1x%2Frallish%2Frallish-operator%2F@6ddbff85276de72ec642f7259be7cbd21b462b1a
Security Audit — socket — rallish-operator