pp-strava

Warn

Audited by Socket on Jun 22, 2026

1 alert found:

Anomaly
AnomalyLOW
SKILL.md

SUSPICIOUS: the skill's Strava analytics purpose is plausible, but it depends on external executables from a differently named publisher, forwards Strava credentials to that CLI, and includes arbitrary webhook delivery plus MCP installation. No direct malware indicators or hidden exfiltration are shown, but install trust and data-routing scope are significant enough for a medium-high risk classification.

Confidence: 81%Severity: 62%
Audit Metadata
Analyzed At
Jun 22, 2026, 12:58 AM
Package URL
pkg:socket/skills-sh/mvanhorn%2Fprinting-press-library%2Fpp-strava%2F@d3aa3d4645dd2080031fff31cedfa3a595298926e5e5c06ec1f6855200f47e51
Security Audit — socket — pp-strava