bobcat-strategy

Warn

Audited by Socket on Jun 28, 2026

2 alerts found:

AnomalySecurity
AnomalyLOW
README.md

No explicit malicious payload is visible in this fragment because it contains only installation/run instructions and parameter descriptions. However, it establishes a high-consequence supply-chain execution path: it downloads multiple executable/config files from raw GitHub URLs without shown integrity pinning, then initializes a runtime and executes the downloaded Python producer. Additionally, it uses a sensitive authentication token via environment variable and redirects process output to a log file, which could enable secret leakage depending on the unseen producer’s logging behavior. Review/pin to specific revisions and verify artifact integrity before execution; also inspect the actual bobcat-producer.py and runtime/config handling for logging and network behaviors.

Confidence: 41%Severity: 60%
SecurityMEDIUM
SKILL.md
Audit Metadata
Analyzed At
Jun 28, 2026, 08:49 PM
Package URL
pkg:socket/skills-sh/senpi-ai%2Fsenpi-skills%2Fbobcat-strategy%2F@d7d2c26795e61ab2544569f3fdd773c22bcd054a53e5306e9bcb3823dddb238a
Security Audit — socket — bobcat-strategy