skill-finder-cn

Warn

Audited by Socket on May 14, 2026

2 alerts found:

AnomalySecurity
AnomalyLOW
scripts/search.sh

This bash wrapper is unlikely to be malicious on its own; it primarily performs keyword filtering on the output of an external CLI. The dominant security concern is supply-chain risk: it uses `npx -y` to fetch and execute/install behavior from `PostPlusAI/postplus-skills` (and related tooling) at runtime with `--global`. QUERY/LIMIT handling appears resistant to common shell command injection, but robustness is limited (LIMIT not validated). Overall: moderate risk driven by unpinned, runtime-resolved external execution.

Confidence: 62%Severity: 55%
SecurityMEDIUM
SKILL.md

SUSPICIOUS: the skill’s purpose matches recommending and installing PostPlus skills, so its behavior is broadly coherent, but it materially expands trust by directing global installation of an external CLI and a full remote skills repository. The main issue is transitive skill installation and unpinned remote installs, not confirmed malware or overt credential theft.

Confidence: 84%Severity: 72%
Audit Metadata
Analyzed At
May 14, 2026, 08:13 PM
Package URL
pkg:socket/skills-sh/PostPlusAI%2Fpostplus-skills%2Fskill-finder-cn%2F@e8eeaa3a73ec605602e0bdff0bc16d5a7a37a98d
Security Audit — socket — skill-finder-cn