2.0 KiB
| type | title | summary | tags | scope | last_updated | date | source | ||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| reference | skills.sh security risk assessments are heuristic capability flags, not malware verdicts | How to interpret skills.sh's Gen/Socket/Snyk security table: High/Med ratings fire on benign capability patterns, so read the per-skill detail page and the actual files before trusting a flag. |
|
global | 2026-07-14 | 2026-07-14 | cc-os |
skills.sh security scans are heuristic
The "Security Risk Assessments" table shown by the npx skills installer (Gen, Socket,
Snyk columns) reports heuristic capability flags, not malware verdicts. High/Med ratings
routinely fire on benign patterns:
- Snyk W007 (credential handling) — skill instructs pasting CLI output or bundles an
executable
.shfile, even an inert interactive one. - Snyk W011 (indirect prompt injection) — skill reads external issue/ticket/PR text into context (any tracker-reading skill triggers this).
- Socket anomaly alerts — trust-chain patterns like "posts autonomously to an external tracker"; explicitly not malware findings.
Verified 2026-07-14 on Matt Pocock's skill pack: all five flags (one High, three Med, one Socket alert) traced to legitimate documented features; full local file reads found no injection, obfuscation, network calls, or confirmation bypasses. Third-party testing (dev.to bolhasec obfuscation study; caveman#28) shows the scanners are inconsistent — Socket missed a known-malicious baseline while Gen over-flagged benign scripts.
Procedure when a flag appears: open
skills.sh/<owner>/<pack>/<skill>/security/<scanner> for the specific finding, then read
the installed skill files (typically ~/.agents/skills/<name>/) checking for network
calls, obfuscation, credential access, and confirmation bypasses. Trust the file contents
and publisher reputation over the badge — in both directions: a "Safe" row is equally
weak evidence.