41 lines
2.0 KiB
Markdown
41 lines
2.0 KiB
Markdown
|
|
---
|
||
|
|
type: reference
|
||
|
|
title: skills.sh security risk assessments are heuristic capability flags, not malware verdicts
|
||
|
|
summary: "How to interpret skills.sh's Gen/Socket/Snyk security table: High/Med ratings fire on benign capability patterns, so read the per-skill detail page and the actual files before trusting a flag."
|
||
|
|
tags:
|
||
|
|
- type/reference
|
||
|
|
- tool/skills-sh
|
||
|
|
- domain/agent-skills
|
||
|
|
- domain/security
|
||
|
|
scope: global
|
||
|
|
last_updated: 2026-07-14
|
||
|
|
date: 2026-07-14
|
||
|
|
source: cc-os
|
||
|
|
---
|
||
|
|
|
||
|
|
# skills.sh security scans are heuristic
|
||
|
|
|
||
|
|
The "Security Risk Assessments" table shown by the `npx skills` installer (Gen, Socket,
|
||
|
|
Snyk columns) reports heuristic capability flags, not malware verdicts. High/Med ratings
|
||
|
|
routinely fire on benign patterns:
|
||
|
|
|
||
|
|
- **Snyk W007 (credential handling)** — skill instructs pasting CLI output or bundles an
|
||
|
|
executable `.sh` file, even an inert interactive one.
|
||
|
|
- **Snyk W011 (indirect prompt injection)** — skill reads external issue/ticket/PR text
|
||
|
|
into context (any tracker-reading skill triggers this).
|
||
|
|
- **Socket anomaly alerts** — trust-chain patterns like "posts autonomously to an external
|
||
|
|
tracker"; explicitly not malware findings.
|
||
|
|
|
||
|
|
Verified 2026-07-14 on Matt Pocock's skill pack: all five flags (one High, three Med, one
|
||
|
|
Socket alert) traced to legitimate documented features; full local file reads found no
|
||
|
|
injection, obfuscation, network calls, or confirmation bypasses. Third-party testing
|
||
|
|
(dev.to bolhasec obfuscation study; caveman#28) shows the scanners are inconsistent —
|
||
|
|
Socket missed a known-malicious baseline while Gen over-flagged benign scripts.
|
||
|
|
|
||
|
|
**Procedure when a flag appears:** open
|
||
|
|
`skills.sh/<owner>/<pack>/<skill>/security/<scanner>` for the specific finding, then read
|
||
|
|
the installed skill files (typically `~/.agents/skills/<name>/`) checking for network
|
||
|
|
calls, obfuscation, credential access, and confirmation bypasses. Trust the file contents
|
||
|
|
and publisher reputation over the badge — in both directions: a "Safe" row is equally
|
||
|
|
weak evidence.
|