--- type: reference title: skills.sh security risk assessments are heuristic capability flags, not malware verdicts summary: "How to interpret skills.sh's Gen/Socket/Snyk security table: High/Med ratings fire on benign capability patterns, so read the per-skill detail page and the actual files before trusting a flag." tags: - type/reference - tool/skills-sh - domain/agent-skills - domain/security scope: global last_updated: 2026-07-14 date: 2026-07-14 source: cc-os --- # skills.sh security scans are heuristic The "Security Risk Assessments" table shown by the `npx skills` installer (Gen, Socket, Snyk columns) reports heuristic capability flags, not malware verdicts. High/Med ratings routinely fire on benign patterns: - **Snyk W007 (credential handling)** — skill instructs pasting CLI output or bundles an executable `.sh` file, even an inert interactive one. - **Snyk W011 (indirect prompt injection)** — skill reads external issue/ticket/PR text into context (any tracker-reading skill triggers this). - **Socket anomaly alerts** — trust-chain patterns like "posts autonomously to an external tracker"; explicitly not malware findings. Verified 2026-07-14 on Matt Pocock's skill pack: all five flags (one High, three Med, one Socket alert) traced to legitimate documented features; full local file reads found no injection, obfuscation, network calls, or confirmation bypasses. Third-party testing (dev.to bolhasec obfuscation study; caveman#28) shows the scanners are inconsistent — Socket missed a known-malicious baseline while Gen over-flagged benign scripts. **Procedure when a flag appears:** open `skills.sh////security/` for the specific finding, then read the installed skill files (typically `~/.agents/skills//`) checking for network calls, obfuscation, credential access, and confirmation bypasses. Trust the file contents and publisher reputation over the badge — in both directions: a "Safe" row is equally weak evidence.