arkcli-connect
Audited by Socket on Jul 1, 2026
2 alerts found:
Anomalyx2SUSPICIOUS: the skill is coherent with its stated purpose of syncing arkcli skills locally, and there is no obvious credential theft or remote exfiltration. The main risk is transitive skill installation into multiple agents plus broad purge/uninstall behavior and the documented auto-run on npm postinstall, which makes it a medium-risk local trust-expansion tool rather than confirmed malware.
No direct evidence of classic malware behaviors (exfiltration, credential theft, backdoors, or obfuscated payload execution) is present in the provided fragment. However, the described package behavior is supply-chain sensitive: npm postinstall may automatically execute its own binary in interactive contexts, and +connect/uninstall perform broad, prefix-based purging of ark-/arkcli-* directories/soft-links followed by recursive installation of embedded skills. This combination can cause unintended data loss or user-managed-content removal and is therefore a meaningful security/operational risk that warrants reviewing the actual postinstall and purge implementation details (especially symlink and path handling) and inspecting the embedded skill content for malicious intent.