yao-doctor-skill
Audited by Socket on Jun 25, 2026
3 alerts found:
Malwarex2SecurityThe provided dependency bundle shows strong, high-signal indicators of malicious/sabotaging behavior: approval/confirmation bypass for deploy/publish, remote bootstrap execution via curl|sh, dynamic exec() of base64-decoded payloads, and execution of staged/unpacked archive contents. It also includes credentialed outbound HTTP messaging/asset uploading and persistence-like retention flags that could amplify impact. Recommended: quarantine/block immediately and perform containment + forensic review of runtime behavior and any published artifacts.
This workflow performs high-risk remote code execution by downloading and executing an unverified script from a hardcoded external URL using a classic curl-to-shell pattern. The behavior is consistent with CI/CD sabotage or malware staging and should be treated as malicious/unsafe unless replaced with a vetted, pinned, integrity-checked process.