theangrypit-skillset-bootstrap

Warn

Audited by Socket on Jul 3, 2026

2 alerts found:

Anomalyx2
AnomalyLOW
SKILL.md

SUSPICIOUS: the skill’s purpose and capabilities mostly align, and it uses the official documented `skills` CLI path, but its main function is transitive installation of additional skills from GitHub, including external manifests not shown here. That makes it a coherent bootstrap utility with meaningful supply-chain risk rather than confirmed malware.

Confidence: 89%Severity: 68%
AnomalyLOW
scripts/install-skillset.sh

No direct malware is evident in this Bash wrapper: it performs input parsing, whitelists scope/agent options, constructs arguments using an argv array (reducing shell injection risk), and only delegates actions to `npx skills add` when `--apply` is used. The main security concern is supply-chain/execution risk: manifest-controlled `source`/`skill` values can drive `npx` to resolve and install/execute attacker-chosen packages/skills depending on how `npx skills add` behaves and what `npx` resolves in the environment. Treat the manifest and invoked `skills`/`npx` tooling as high-trust inputs (pin/verify where possible) and restrict who can author manifests or run with `--apply`.

Confidence: 70%Severity: 56%
Audit Metadata
Analyzed At
Jul 3, 2026, 05:54 PM
Package URL
pkg:socket/skills-sh/TheAngryPit%2FTheAngrySkills%2Ftheangrypit-skillset-bootstrap%2F@211342f37103a1f342a21023dfcbe5e2173d76428d5dec14d035f4c2ba427280
Security Audit — socket — theangrypit-skillset-bootstrap