cloud
Warn
Audited by Socket on May 20, 2026
1 alert found:
SecuritySecuritySKILL.md
MEDIUMSecurityMEDIUM
SKILL.md
SUSPICIOUS: The core Shiplight API and data flows are mostly aligned with the stated cloud-sync purpose, but the daily `npx skills@latest update` step introduces a notable supply-chain risk because it executes an unpinned package whose Shiplight ownership is not verified here. Secret handling is broadly proportional, though direct `.env` writing and optional storage-state upload raise moderate exposure concerns.
Confidence: 84%Severity: 74%
Audit Metadata