moshi-best-practices
Warn
Audited by Socket on May 15, 2026
1 alert found:
AnomalyAnomalySKILL.md
LOWAnomalyLOW
SKILL.md
The skill is mostly purpose-aligned and behaves like a legitimate host-setup guide for Moshi, tmux, and agent hooks. The main risk is install and credential trust: it asks the agent to install an external hook daemon/CLI and pass it a pairing token, with optional non-Keychain secret storage and ongoing network connectivity. That is suspicious enough for medium security risk without clear evidence of malicious intent.
Confidence: 78%Severity: 55%
Audit Metadata