arkcli-connect

Warn

Audited by Socket on Jul 1, 2026

2 alerts found:

Anomalyx2
AnomalyLOW
SKILL.md

SUSPICIOUS: the skill is coherent with its stated purpose of syncing arkcli skills locally, and there is no obvious credential theft or remote exfiltration. The main risk is transitive skill installation into multiple agents plus broad purge/uninstall behavior and the documented auto-run on npm postinstall, which makes it a medium-risk local trust-expansion tool rather than confirmed malware.

Confidence: 80%Severity: 56%
AnomalyLOW
references/arkcli-connect.md

No direct evidence of classic malware behaviors (exfiltration, credential theft, backdoors, or obfuscated payload execution) is present in the provided fragment. However, the described package behavior is supply-chain sensitive: npm postinstall may automatically execute its own binary in interactive contexts, and +connect/uninstall perform broad, prefix-based purging of ark-/arkcli-* directories/soft-links followed by recursive installation of embedded skills. This combination can cause unintended data loss or user-managed-content removal and is therefore a meaningful security/operational risk that warrants reviewing the actual postinstall and purge implementation details (especially symlink and path handling) and inspecting the embedded skill content for malicious intent.

Confidence: 42%Severity: 66%
Audit Metadata
Analyzed At
Jul 1, 2026, 08:31 AM
Package URL
pkg:socket/skills-sh/volcengine%2Fark-cli%2Farkcli-connect%2F@00511d8a17b47d6f82e44831ddcb18a0c098aeefb9967bb1b38eb58620f738f9
Security Audit — socket — arkcli-connect