cloud

Warn

Audited by Socket on May 20, 2026

1 alert found:

Security
SecurityMEDIUM
SKILL.md

SUSPICIOUS: The core Shiplight API and data flows are mostly aligned with the stated cloud-sync purpose, but the daily `npx skills@latest update` step introduces a notable supply-chain risk because it executes an unpinned package whose Shiplight ownership is not verified here. Secret handling is broadly proportional, though direct `.env` writing and optional storage-state upload raise moderate exposure concerns.

Confidence: 84%Severity: 74%
Audit Metadata
Analyzed At
May 20, 2026, 02:41 PM
Package URL
pkg:socket/skills-sh/ShiplightAI%2Fagent-skills%2Fcloud%2F@4335c2391dd8736f563b03e9092a0d2b82cb40e6
Security Audit — socket — cloud