magicpath

Warn

Audited by Socket on May 26, 2026

1 alert found:

Anomaly
AnomalyLOW
SKILL.md

The skill is purpose-aligned and mainly uses official-looking same-brand distribution paths, so it is not confirmed malware. The main concern is the load-time pre-execution directive that runs `npx -y magicpath-ai info`, which can download and execute external package code before normal approval, plus the broad Bash permission to run the CLI and modify local projects. Overall this is suspicious/high-trust developer tooling rather than malicious content.

Confidence: 83%Severity: 68%
Audit Metadata
Analyzed At
May 26, 2026, 04:03 PM
Package URL
pkg:socket/skills-sh/magicpathai%2Fagent-skills%2Fmagicpath%2F@b8e542b80364482ffa124107967d17ec55311c8b
Security Audit — socket — magicpath