alphaear-signal-tracker

Fail

Audited by Socket on Jun 21, 2026

1 alert found:

Obfuscated File
Obfuscated FileHIGH
scripts/utils/sentiment_tools.py

I found no explicit backdoor or traditional malware patterns in the provided code fragment. Main concerns are operational and supply-chain: (1) user text is sent to external LLM providers (possible data exfiltration), (2) transformers fallback can download models at runtime from the network, and (3) the LLM prompt is malformed and contains embedded SQL/code, increasing the risk of unexpected LLM responses being applied to the database. Critically, the code is truncated so parsing and validation of LLM outputs before DB writes cannot be assessed. Recommendations: avoid sending sensitive data to remote LLMs, ensure strict parsing and schema validation of any LLM JSON output before using it, remove code/SQL from prompts, pin/vendor dependencies (agno, llm.factory, transformers models), and review the truncated code paths to confirm safe DB update behavior.

Confidence: 90%
Audit Metadata
Analyzed At
Jun 21, 2026, 06:47 AM
Package URL
pkg:socket/skills-sh/ninehills%2Fskills%2Falphaear-signal-tracker%2F@2f2331db414112eca8530e302c6de63ba609912e
Security Audit — socket — alphaear-signal-tracker