tiangong-kb-course-fulltext-fetch

Warn

Audited by Socket on Jun 13, 2026

2 alerts found:

AnomalySecurity
AnomalyLOW
scripts/course_fulltext_fetch.sh

The script itself shows no direct malware behavior (no explicit exfiltration or stealth), but it is a high-impact execution/conduit wrapper: it can fetch and run a runtime-resolved dependency (`npx ...@latest`), allows the executed command to be overridden via environment variables, and exports variables from a caller-supplied env_file into the CLI’s environment. These factors create meaningful supply-chain and configuration-driven risk. Additionally, when output redirection is enabled, fetched content is written to a caller-controlled path and may be leaked to stderr on failure.

Confidence: 100%Severity: 60%
SecurityMEDIUM
SKILL.md
Audit Metadata
Analyzed At
Jun 13, 2026, 12:39 AM
Package URL
pkg:socket/skills-sh/tiangong-ai%2Fskills%2Ftiangong-kb-course-fulltext-fetch%2F@d0494218a42309abfe4517a72e7afcbfdd2e64dc6770760144d74790d9ac958a
Security Audit — socket — tiangong-kb-course-fulltext-fetch