huashu-nuwa
Audited by Socket on Jun 23, 2026
2 alerts found:
AnomalyObfuscated FileSUSPICIOUS. The skill’s stated purpose is mostly coherent with content research and analysis, and there is no clear credential harvesting or malicious exfiltration path. However, it expands into tool-driven research and execution via undocumented local scripts—especially a subtitle-downloading shell script—without provenance, source, or endpoint clarity, creating moderate security risk and a trust gap disproportionate to a simple persona/advice skill.
The provided fragment is a non-executable informational dossier with references. There is no code-level malware, no data flow that could enable supply-chain compromise, and no runtime security risk inherent to the fragment itself. Risk considerations are primarily reputational and informational; treat as documentation and ensure any downstream usage does not automatically execute or deserialize external content.