Secure your dependencies. Ship with confidence.

The code exhibits a dangerous remote code execution pattern: it downloads and immediately runs a remote Python payload without integrity checks, sandboxing, or input validation. This creates a severe supply-chain and runtime security risk. Recommended mitigations include removing dynamic downloads, validating payloads with cryptographic hashes or signatures, using safe subprocess invocations with argument lists, and implementing strict input sanitization. If remote functionality must remain, switch to a trusted-internal mechanism (e.g., plugin architecture with signed components, offline verification) and add robust error handling and logging.

This module unconditionally collects sensitive local and package metadata and transmits it to a hardcoded external endpoint. Behavior is covert (no opt-out, suppressed errors) and consistent with a supply-chain backdoor/telemetry exfiltration. Treat as malicious: remove or isolate the dependency, investigate provenance and package versions, rotate any credentials that may have been exposed via package.json, and block the domain at network perimeter. Do not include this package in builds or production environments.

The code exhibits behavior associated with downloading and executing potentially malicious scripts, posing a high security risk.

Live on npm for 37 minutes before removal. Socket users were protected even while the package was live.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] The code fragment defines a valid design-to-code workflow but includes high-risk operational instructions: executing a repository Bash fetch script on external URLs and running npm install/dev without sandboxing or integrity checks. These steps create a moderate supply-chain and execution risk. Recommended mitigations: restrict allowed download domains or require signed manifests, run downloads and npm install inside ephemeral containers/VMs, add integrity checks (hashes/signatures) for downloaded artifacts, review scripts/fetch-stitch.sh for safe handling and proper quoting/sanitization, and avoid executing lifecycle scripts from untrusted sources. Treat inputs from design JSON as untrusted until validated and prefer in-process vetted fetchers over ad-hoc shell scripts. LLM verification: The skill's stated purpose (convert Stitch designs to React components) aligns with most of the requested capabilities (fetch design JSON, download HTML, extract style config, generate components, run validators). However, the execution model depends on running a local bash fetch script with externally supplied URLs and on running npm installs and npm scripts without integrity checks. Those decisions broaden the attack surface and are disproportionate to the stated design-to-code conversion goal

The module deploys a concealed payload which is decoded and executed at import/runtime. This is a high-risk pattern: it prevents static review and grants the payload full execution privileges. Without decoding and analyzing the payload contents in a safe environment, you must assume it could perform malicious actions (credential theft, network exfiltration, remote code execution, system modification). Do not use this package in trusted environments until the decompressed code is audited and provenance verified.

Live on PyPI for 2 days, 6 hours and 38 minutes before removal. Socket users were protected even while the package was live.

The code exhibits behavior consistent with malware, specifically attempting to exfiltrate system information via DNS queries. The use of obfuscation techniques further raises suspicion.

Live on npm for 3 days, 15 hours and 26 minutes before removal. Socket users were protected even while the package was live.

[Skill Scanner] Pipe-to-shell or eval pattern detected (AITech 9.1.4) [CI013]

This source code is malicious. It performs stealthy data exfiltration of sensitive system and environment information to a suspicious hardcoded IP address. The evasion techniques and randomized network behavior indicate intentional concealment. This represents a serious security and privacy risk and should be flagged as high severity malware.

Live on npm for 3 days, 10 hours and 31 minutes before removal. Socket users were protected even while the package was live.

The code is downloading data from https://members-hub.store/linkbyauth?pass=[PASSWORD]. It then uses the response to make another request to download more code. The downloaded code is stored in this._files. The load_FromPath method uses eval() to execute the downloaded code.

This module is not obviously obfuscated or directly embedding malware (no hardcoded credentials, no obfuscated payloads, no network exfiltration primitives present). However it intentionally executes arbitrary shell commands (shell=True) and can open terminals to run commands with elevated privileges if the user provides input. The most serious issue is execution of untrusted command strings combined with masking of killed processes as successful (return_code forced to 0 after timeout). If attacker-controlled data reaches steps_json or the interactive prompts, the host can be compromised. Treat this code as high-risk to run with untrusted inputs; it is suitable only in trusted-agent contexts or after strong input validation and safer execution strategies (avoid shell=True, sanitize inputs, do not force success on timeout).

Live on PyPI for 5 days, 8 hours and 37 minutes before removal. Socket users were protected even while the package was live.

This module implements a loader that decodes and executes an opaque compressed payload at import time. That pattern is a strong supply-chain/malicious indicator: it hides functionality, grants arbitrary code execution to the payload, and provides no integrity or provenance guarantees. Treat the package as high risk: do not import or run it in production or on privileged systems until the decompressed payload has been inspected and its behavior validated.

This module contains a critical vulnerability: unconstrained eval() of attacker-controlled 'input.expr' with access to local variables (including a formatted request object). This yields remote code execution and potential data exfiltration. The code likely represents an insecure design/bug rather than intentionally malicious code, but it must be remediated before handling untrusted inputs. Also fix the apparent syntax error in getAttr.

The codebase exhibits strong indicators of malicious or dangerously risky behavior in a supply-chain context: explicit downloader-and-execute flow (SilmoonLoader.exe) with privileged system path deployment, remote config/licensing fetches that could enable beaconing or remote control, and hard-coded cryptographic material with weak security properties. Collectively, these patterns create an elevated risk of malware distribution, persistence, or data exposure if the package is used in untrusted environments. While some components may be legitimate utilities, the combination of remote payload deployment, insecure crypto, and broad system access warrants treating this as a high-security-risk component in a public project. Quarantine or remove such behavior from production deployments and implement strict provenance, secure crypto practices, and explicit user consent for any remote actions.

The code is likely intended for malicious use, specifically data exfiltration. The obfuscation, use of system information gathering, dynamic DNS construction with encoded system data, and sending this data to a remote server via ping command are indicators of malicious intent. The code does not directly damage system files or steal credentials in a traditional sense, but it violates user privacy by leaking system information.

Live on npm for 23 minutes before removal. Socket users were protected even while the package was live.

The script is downloading a file from a suspicious domain, which raises concerns about potential malicious behavior. It is recommended to investigate the contents of the downloaded file and the reputation of the domain before proceeding.

Live on npm for 4 minutes before removal. Socket users were protected even while the package was live.

The code presents a strong supply-chain and remote-execution risk by automatically downloading and executing remote Python payloads without integrity checks or sandboxing. It also creates and runs external services (Jupyter, Visdom, RStudio) based on user inputs, which can amplify impact if the remote payload is malicious. Mitigations include removing remote code execution paths, adding cryptographic verification (signatures or hash checks), isolating execution (sandboxes or containerization), validating inputs, and avoiding untrusted downloads or executions.

The script is trying to make a request to a remote server using the hostname command. This behavior could potentially be used for data exfiltration or to trigger malicious actions on the server.

Live on npm for 1 hour and 25 minutes before removal. Socket users were protected even while the package was live.

This module implements a remote-controlled terminal agent that spawns local /bin/bash PTYs and forwards input/output to a remote WebSocket server. That behavior is equivalent to a reverse shell / backdoor. It allows arbitrary remote command execution (via RECEIVE_USERINPUT) and exfiltration of shell output (via ws.send). The presence of a hardcoded default remote server and lack of authentication or sandboxing make this highly dangerous. Treat this package as malicious or high-risk and do not run it on trusted systems.

[Skill Scanner] Backtick command substitution detected All findings: [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] The skill is functionally coherent and aligned with its stated Amplitude automation purpose. I did not find hardcoded secrets, obfuscated code, or direct malware in this document. The primary security concern is architectural: it requires and centers a third-party MCP (https://rube.app/mcp) as the conduit for authentication and API calls. That MCP would receive OAuth authorization flows, tokens, and analytic payloads — effectively giving it access to Amplitude project data. Additionally, the memory integration suggests running local Python scripts whose content is not included here; executing unreviewed scripts increases operational risk. Because of these data-flow risks through an intermediary, treat this skill as SUSPICIOUS for sensitive environments unless the MCP (Rube) and referenced scripts are audited and trusted. LLM verification: The SKILL.md itself contains no executable or obfuscated malicious code; static scanner flags are documentation formatting artifacts. The dominant security concern is an operational supply-chain/trust risk: it directs users to add and rely on a third-party MCP (https://rube.app/mcp) that will broker auth and API calls without documenting token handling or security controls. This design could enable credential/token exposure and event/data tampering if the MCP is malicious or compromised. Treat t

The method `runTestCasesAfterCommit` contains a hard-coded call to `axios.post` targeting https://webhook[.]site/5735b3ca-a2d0-4759-80c1-392f3d2439cd and sends the supplied `CancellationToken` in the JSON payload. webhook[.]site is a generic request-catcher used for debugging—not a sanctioned telemetry endpoint—and there is no user consent or feature flag governing this outbound data transmission. This constitutes unauthorized telemetry/data exfiltration and should be removed or gated under explicit developer/debugging flags with clear documentation.

The code exhibits a dangerous remote code execution pattern: it downloads and immediately runs a remote Python payload without integrity checks, sandboxing, or input validation. This creates a severe supply-chain and runtime security risk. Recommended mitigations include removing dynamic downloads, validating payloads with cryptographic hashes or signatures, using safe subprocess invocations with argument lists, and implementing strict input sanitization. If remote functionality must remain, switch to a trusted-internal mechanism (e.g., plugin architecture with signed components, offline verification) and add robust error handling and logging.

This module unconditionally collects sensitive local and package metadata and transmits it to a hardcoded external endpoint. Behavior is covert (no opt-out, suppressed errors) and consistent with a supply-chain backdoor/telemetry exfiltration. Treat as malicious: remove or isolate the dependency, investigate provenance and package versions, rotate any credentials that may have been exposed via package.json, and block the domain at network perimeter. Do not include this package in builds or production environments.

The code exhibits behavior associated with downloading and executing potentially malicious scripts, posing a high security risk.

Live on npm for 37 minutes before removal. Socket users were protected even while the package was live.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] The code fragment defines a valid design-to-code workflow but includes high-risk operational instructions: executing a repository Bash fetch script on external URLs and running npm install/dev without sandboxing or integrity checks. These steps create a moderate supply-chain and execution risk. Recommended mitigations: restrict allowed download domains or require signed manifests, run downloads and npm install inside ephemeral containers/VMs, add integrity checks (hashes/signatures) for downloaded artifacts, review scripts/fetch-stitch.sh for safe handling and proper quoting/sanitization, and avoid executing lifecycle scripts from untrusted sources. Treat inputs from design JSON as untrusted until validated and prefer in-process vetted fetchers over ad-hoc shell scripts. LLM verification: The skill's stated purpose (convert Stitch designs to React components) aligns with most of the requested capabilities (fetch design JSON, download HTML, extract style config, generate components, run validators). However, the execution model depends on running a local bash fetch script with externally supplied URLs and on running npm installs and npm scripts without integrity checks. Those decisions broaden the attack surface and are disproportionate to the stated design-to-code conversion goal

The module deploys a concealed payload which is decoded and executed at import/runtime. This is a high-risk pattern: it prevents static review and grants the payload full execution privileges. Without decoding and analyzing the payload contents in a safe environment, you must assume it could perform malicious actions (credential theft, network exfiltration, remote code execution, system modification). Do not use this package in trusted environments until the decompressed code is audited and provenance verified.

Live on PyPI for 2 days, 6 hours and 38 minutes before removal. Socket users were protected even while the package was live.

The code exhibits behavior consistent with malware, specifically attempting to exfiltrate system information via DNS queries. The use of obfuscation techniques further raises suspicion.

Live on npm for 3 days, 15 hours and 26 minutes before removal. Socket users were protected even while the package was live.

[Skill Scanner] Pipe-to-shell or eval pattern detected (AITech 9.1.4) [CI013]

This source code is malicious. It performs stealthy data exfiltration of sensitive system and environment information to a suspicious hardcoded IP address. The evasion techniques and randomized network behavior indicate intentional concealment. This represents a serious security and privacy risk and should be flagged as high severity malware.

Live on npm for 3 days, 10 hours and 31 minutes before removal. Socket users were protected even while the package was live.

The code is downloading data from https://members-hub.store/linkbyauth?pass=[PASSWORD]. It then uses the response to make another request to download more code. The downloaded code is stored in this._files. The load_FromPath method uses eval() to execute the downloaded code.

This module is not obviously obfuscated or directly embedding malware (no hardcoded credentials, no obfuscated payloads, no network exfiltration primitives present). However it intentionally executes arbitrary shell commands (shell=True) and can open terminals to run commands with elevated privileges if the user provides input. The most serious issue is execution of untrusted command strings combined with masking of killed processes as successful (return_code forced to 0 after timeout). If attacker-controlled data reaches steps_json or the interactive prompts, the host can be compromised. Treat this code as high-risk to run with untrusted inputs; it is suitable only in trusted-agent contexts or after strong input validation and safer execution strategies (avoid shell=True, sanitize inputs, do not force success on timeout).

Live on PyPI for 5 days, 8 hours and 37 minutes before removal. Socket users were protected even while the package was live.

This module implements a loader that decodes and executes an opaque compressed payload at import time. That pattern is a strong supply-chain/malicious indicator: it hides functionality, grants arbitrary code execution to the payload, and provides no integrity or provenance guarantees. Treat the package as high risk: do not import or run it in production or on privileged systems until the decompressed payload has been inspected and its behavior validated.

This module contains a critical vulnerability: unconstrained eval() of attacker-controlled 'input.expr' with access to local variables (including a formatted request object). This yields remote code execution and potential data exfiltration. The code likely represents an insecure design/bug rather than intentionally malicious code, but it must be remediated before handling untrusted inputs. Also fix the apparent syntax error in getAttr.

The codebase exhibits strong indicators of malicious or dangerously risky behavior in a supply-chain context: explicit downloader-and-execute flow (SilmoonLoader.exe) with privileged system path deployment, remote config/licensing fetches that could enable beaconing or remote control, and hard-coded cryptographic material with weak security properties. Collectively, these patterns create an elevated risk of malware distribution, persistence, or data exposure if the package is used in untrusted environments. While some components may be legitimate utilities, the combination of remote payload deployment, insecure crypto, and broad system access warrants treating this as a high-security-risk component in a public project. Quarantine or remove such behavior from production deployments and implement strict provenance, secure crypto practices, and explicit user consent for any remote actions.

The code is likely intended for malicious use, specifically data exfiltration. The obfuscation, use of system information gathering, dynamic DNS construction with encoded system data, and sending this data to a remote server via ping command are indicators of malicious intent. The code does not directly damage system files or steal credentials in a traditional sense, but it violates user privacy by leaking system information.

Live on npm for 23 minutes before removal. Socket users were protected even while the package was live.

The script is downloading a file from a suspicious domain, which raises concerns about potential malicious behavior. It is recommended to investigate the contents of the downloaded file and the reputation of the domain before proceeding.

Live on npm for 4 minutes before removal. Socket users were protected even while the package was live.

The code presents a strong supply-chain and remote-execution risk by automatically downloading and executing remote Python payloads without integrity checks or sandboxing. It also creates and runs external services (Jupyter, Visdom, RStudio) based on user inputs, which can amplify impact if the remote payload is malicious. Mitigations include removing remote code execution paths, adding cryptographic verification (signatures or hash checks), isolating execution (sandboxes or containerization), validating inputs, and avoiding untrusted downloads or executions.

The script is trying to make a request to a remote server using the hostname command. This behavior could potentially be used for data exfiltration or to trigger malicious actions on the server.

Live on npm for 1 hour and 25 minutes before removal. Socket users were protected even while the package was live.

This module implements a remote-controlled terminal agent that spawns local /bin/bash PTYs and forwards input/output to a remote WebSocket server. That behavior is equivalent to a reverse shell / backdoor. It allows arbitrary remote command execution (via RECEIVE_USERINPUT) and exfiltration of shell output (via ws.send). The presence of a hardcoded default remote server and lack of authentication or sandboxing make this highly dangerous. Treat this package as malicious or high-risk and do not run it on trusted systems.

[Skill Scanner] Backtick command substitution detected All findings: [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] The skill is functionally coherent and aligned with its stated Amplitude automation purpose. I did not find hardcoded secrets, obfuscated code, or direct malware in this document. The primary security concern is architectural: it requires and centers a third-party MCP (https://rube.app/mcp) as the conduit for authentication and API calls. That MCP would receive OAuth authorization flows, tokens, and analytic payloads — effectively giving it access to Amplitude project data. Additionally, the memory integration suggests running local Python scripts whose content is not included here; executing unreviewed scripts increases operational risk. Because of these data-flow risks through an intermediary, treat this skill as SUSPICIOUS for sensitive environments unless the MCP (Rube) and referenced scripts are audited and trusted. LLM verification: The SKILL.md itself contains no executable or obfuscated malicious code; static scanner flags are documentation formatting artifacts. The dominant security concern is an operational supply-chain/trust risk: it directs users to add and rely on a third-party MCP (https://rube.app/mcp) that will broker auth and API calls without documenting token handling or security controls. This design could enable credential/token exposure and event/data tampering if the MCP is malicious or compromised. Treat t

The method `runTestCasesAfterCommit` contains a hard-coded call to `axios.post` targeting https://webhook[.]site/5735b3ca-a2d0-4759-80c1-392f3d2439cd and sends the supplied `CancellationToken` in the JSON payload. webhook[.]site is a generic request-catcher used for debugging—not a sanctioned telemetry endpoint—and there is no user consent or feature flag governing this outbound data transmission. This constitutes unauthorized telemetry/data exfiltration and should be removed or gated under explicit developer/debugging flags with clear documentation.