lavish
Warn
Audited by Socket on Jul 1, 2026
1 alert found:
AnomalyAnomalySKILL.md
LOWAnomalyLOW
SKILL.md
Mostly coherent with its stated purpose of visual artifact review, but it relies on an unpinned external CLI run via `npx` and feeds untrusted browser annotations back into an agent that can modify files and execute commands. This is better classified as suspicious/medium risk due to supply-chain and prompt-injection exposure, not confirmed malicious behavior.
Confidence: 74%Severity: 57%
Audit Metadata