magicpath
Warn
Audited by Socket on May 26, 2026
1 alert found:
AnomalyAnomalySKILL.md
LOWAnomalyLOW
SKILL.md
The skill is purpose-aligned and mainly uses official-looking same-brand distribution paths, so it is not confirmed malware. The main concern is the load-time pre-execution directive that runs `npx -y magicpath-ai info`, which can download and execute external package code before normal approval, plus the broad Bash permission to run the CLI and modify local projects. Overall this is suspicious/high-trust developer tooling rather than malicious content.
Confidence: 83%Severity: 68%
Audit Metadata