tensorlake

Warn

Audited by Socket on Jun 18, 2026

1 alert found:

Anomaly
AnomalyLOW
.github/workflows/evals.yml

No direct malware is evidenced in the workflow YAML alone, but it creates a meaningful security/supply-chain risk surface: it installs an unpinned external npm CLI during CI, symlinks repository content into external tooling’s skill directory, and provides a live ANTHROPIC_API_KEY to repository-executed scripts. A definitive malware assessment requires reviewing the executed evals/*.py scripts and the referenced SKILL.md content, plus considering whether the eval runner allows unintended task selection based on user/repo-derived IDs.

Confidence: 62%Severity: 60%
Audit Metadata
Analyzed At
Jun 18, 2026, 03:58 PM
Package URL
pkg:socket/skills-sh/tensorlakeai%2Ftensorlake-skills%2Ftensorlake%2F@1a5496e00587f2e9def4a99f28d82bd22d93cc12
Security Audit — socket — tensorlake