skill-finder-cn
Audited by Socket on May 14, 2026
2 alerts found:
AnomalySecurityThis bash wrapper is unlikely to be malicious on its own; it primarily performs keyword filtering on the output of an external CLI. The dominant security concern is supply-chain risk: it uses `npx -y` to fetch and execute/install behavior from `PostPlusAI/postplus-skills` (and related tooling) at runtime with `--global`. QUERY/LIMIT handling appears resistant to common shell command injection, but robustness is limited (LIMIT not validated). Overall: moderate risk driven by unpinned, runtime-resolved external execution.
SUSPICIOUS: the skill’s purpose matches recommending and installing PostPlus skills, so its behavior is broadly coherent, but it materially expands trust by directing global installation of an external CLI and a full remote skills repository. The main issue is transitive skill installation and unpinned remote installs, not confirmed malware or overt credential theft.