socket-scan

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly embeds a full-looking API token in command examples (and shows using it as a direct CLI argument), which requires the model to reproduce that secret verbatim in generated commands — an insecure credential-handling pattern.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs running runtime commands like "npx socket" and "npx @cyclonedx/cdxgen" which fetch and execute remote npm packages (and points to https://socket.dev), so external content from the npm registry is required and executed at runtime.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned for high-entropy, literal credentials. The documentation includes a literal API token set in an example command:

npx socket config set apiToken sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api --no-banner --no-spinner

This is a non-placeholder, random-looking token value (an API token) rather than a named environment variable or example placeholder, so it meets the definition of a secret. I did not flag environment variable names (e.g., SOCKET_CLI_API_TOKEN) or other obvious placeholders and setup-password examples because those are explicitly excluded by the policy.