profile-use

Warn

Audited by Socket on Jun 30, 2026

3 alerts found:

Anomalyx3
AnomalyLOW
SKILL.md

SUSPICIOUS. The skill's capabilities mostly match its stated autofill/KYC purpose, but it handles unusually sensitive personal and credential data, persists it locally, and can install/use a third-party vault CLI through an unseen helper script. Data flow is mostly coherent and direct, not overtly exfiltrative, so this is not confirmed malware; the main concern is high-impact credential/PII handling plus moderate install-trust risk.

Confidence: 86%Severity: 67%
AnomalyLOW
app/ProfileUse/Core/CredentialBridge.swift

This Swift file is a thin bridge that dynamically executes a bundled Python script via Process (python3 + profile_use.py) to query vault status and perform credential lookup/login. It decodes untrusted JSON from the external process and, when configured, can return highly sensitive credential fields (password/totp/uris) to callers. No explicit malware behavior (e.g., networking, persistence, obfuscation, or direct exfiltration) is shown in this fragment, but the supply-chain/trust-boundary risk is meaningful because the module delegates security-critical credential operations to executable bundled code and passes an unvalidated domain argument into external command arguments.

Confidence: 60%Severity: 52%
AnomalyLOW
install-app.sh

No direct malicious behavior (exfiltration, credential theft, command-and-control, or backdoor logic) is evident in this shell installer wrapper itself. However, it has significant supply-chain risk: it fetches a moving 'releases/latest' DMG without integrity/signature verification and installs it into /Applications using sudo, then removes extended attributes that can include quarantine metadata. The safety of this script depends entirely on the trustworthiness of the remote GitHub release artifact.

Confidence: 66%Severity: 62%
Audit Metadata
Analyzed At
Jun 30, 2026, 02:03 PM
Package URL
pkg:socket/skills-sh/leeguooooo%2Fpersonal-autofill%2Fprofile-use%2F@0a08b9208bc1a321fbb441b62d9feabc0aae7e8d
Security Audit — socket — profile-use