Skills
skills/spot-canvas/sn/signals/Socket

signals

Fail

Audited by Socket on Mar 18, 2026

1 alert found:

Malware
MalwareHIGH
SKILL.md

SUSPICIOUS. The stated purpose matches consuming trading signals, but the core dependency is an unverifiable external CLI installed from an unverified tap, and the skill forwards optional local NATS credentials into that binary. Its explicit use for trading-bot decisioning also raises real-world action risk. No confirmed credential theft or overt exfiltration is shown, so this is high-risk vulnerable behavior rather than confirmed malware.

Confidence: 85%Severity: 86%
Audit Metadata
Analyzed At
Mar 18, 2026, 11:17 PM
Package URL
pkg:socket/skills-sh/spot-canvas%2Fsn%2Fsignals%2F@7cec35463d89fc0fe2da147d07a7c1ee674beef4
Security Audit — socket — signals