SecondBrain/skills-sh-security-scans-ar...

2.0 KiB

type title summary tags scope last_updated date source
reference skills.sh security risk assessments are heuristic capability flags, not malware verdicts How to interpret skills.sh's Gen/Socket/Snyk security table: High/Med ratings fire on benign capability patterns, so read the per-skill detail page and the actual files before trusting a flag.
type/reference
tool/skills-sh
domain/agent-skills
domain/security
global 2026-07-14 2026-07-14 cc-os

skills.sh security scans are heuristic

The "Security Risk Assessments" table shown by the npx skills installer (Gen, Socket, Snyk columns) reports heuristic capability flags, not malware verdicts. High/Med ratings routinely fire on benign patterns:

  • Snyk W007 (credential handling) — skill instructs pasting CLI output or bundles an executable .sh file, even an inert interactive one.
  • Snyk W011 (indirect prompt injection) — skill reads external issue/ticket/PR text into context (any tracker-reading skill triggers this).
  • Socket anomaly alerts — trust-chain patterns like "posts autonomously to an external tracker"; explicitly not malware findings.

Verified 2026-07-14 on Matt Pocock's skill pack: all five flags (one High, three Med, one Socket alert) traced to legitimate documented features; full local file reads found no injection, obfuscation, network calls, or confirmation bypasses. Third-party testing (dev.to bolhasec obfuscation study; caveman#28) shows the scanners are inconsistent — Socket missed a known-malicious baseline while Gen over-flagged benign scripts.

Procedure when a flag appears: open skills.sh/<owner>/<pack>/<skill>/security/<scanner> for the specific finding, then read the installed skill files (typically ~/.agents/skills/<name>/) checking for network calls, obfuscation, credential access, and confirmation bypasses. Trust the file contents and publisher reputation over the badge — in both directions: a "Safe" row is equally weak evidence.