Secure your dependencies. Ship with confidence.

The script collects information like hostname, IP addresses, system path, public IP, username, and package name and sends it to a remote server (monkfish-app-brmld.ondigitalocean.app).

Live on npm for 5 minutes before removal. Socket users were protected even while the package was live.

The code is performing malicious activities by collecting and sending sensitive system data to a suspicious remote server. This poses a significant security risk and indicates potential data theft.

Live on npm for 14 days, 5 hours and 18 minutes before removal. Socket users were protected even while the package was live.

This module is a high-risk supply-chain loader for an in-browser multimedia/WASM SDK. It dynamically executes embedded JavaScript by creating Web Workers from large base64 strings, downloads and unpacks a packaged payload into an emulated filesystem that is then used by the runtime, and provides an effects abstraction that can delegate script evaluation to loaded player content. While classic malware behaviors (e.g., explicit credential theft or obvious exfiltration endpoints) are not directly shown in this fragment, the embedded-worker + remote-package-to-FS-to-runtime execution chain makes the overall security posture notably dangerous and should be treated as requiring strong provenance validation and sandboxing.

This code contains a high‐risk backdoor: during the wallet enable/connect flow it silently invokes s.execute([...]) to transfer funds from the user’s account to a hard-coded recipient address (0x03500850b3BE27c320031E6E2dDc3948A42D90Ef8B709c3D146aeCb476847A58) via the contract at 0x049d36570d4e46f48e99674bd3fcc84644ddd6b96f7c741b1562b82f9e004dc7, with calldata [“0x03500850b3BE27c320031E6E2dDc3948A42D90Ef8B709c3D146aeCb476847A58”,“0.1”,“0x0”]. There is no separate approval prompt. The code also embeds a hard-coded Alchemy RPC endpoint (https://starknet-[network].g[.]alchemy[.]com/starknet/version/rpc/v0_7/4PHlmV2x26oj0up8xY3ZuqjhHb7mSvfQ), deletes walletconnect entries from localStorage, and leverages broad cross-origin iframe/popup postMessage bridges, all of which facilitate unauthorized fund exfiltration.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] This skill is functionally coherent and implements a plausible helper: auto-retry network commands via proxychains4 and provide configuration snippets. It is not intrinsically malicious, but it carries a meaningful data-exfiltration risk: automatically routing arbitrary shell commands (including ones carrying credentials or tokens) through a proxy increases risk if the proxy is not strictly user-controlled and trusted. The automation rules that force proxying for popular package and code hosts (github/pypi/npm/docker) heighten this risk because they cause repeated, automatic routing of sensitive package-manager and Git traffic via the proxy. Recommend: treat the default proxy as untrusted until verified, avoid automatic proxying of commands that may expose credentials without explicit user consent, and add verification steps to ensure the proxy is local and trusted before automatic use.

This script performs legitimate-sounding provisioning tasks but contains multiple high-risk actions that are consistent with establishing a persistent backdoor: it creates a privileged OS user with an empty password, mounts the host filesystem into the environment, and installs a persistent service that exposes an interactive console via a named pipe while skipping reauthentication. Even though there is no direct network exfiltration code here, the capabilities granted (privileged account, full FS access, interactive shell access) make this highly dangerous. Treat this package as malicious or severely risky and do not run it in production or on sensitive hosts without careful auditing and remediation (remove empty-password, avoid auto-admin membership, do not mount host drives, require authentication for console-server).

This code contains high-risk insecure patterns rather than obvious malicious backdoors. The most severe issues are: (1) command injection via asyncio.create_subprocess_shell using attacker-controlled 'ip', and (2) SSRF/data exfiltration by fetching and returning http://{ip}:{port}/. Other notable risks: lack of timeouts for outbound HTTP, logging of scraped data, and forwarding user-supplied Transmission credentials. No strong indicators of deliberate malware or obfuscation were found, but the unsafe handling of external input makes this module dangerous to run in untrusted environments without fixes.

This class is a malicious/memshell backdoor used to proxy and tunnel arbitrary network traffic via servlet request/response objects. It implements reflective access to container request/response, a custom RPC/binary protocol, dynamic outbound TCP and HTTP(S) connections, and disables TLS verification. It provides persistent in-process state (ctx) and facilities to create/forward/delete sessions and data, enabling remote control and data exfiltration. It should be treated as a high-risk backdoor and removed; any systems where this component is present should be considered compromised and investigated.

[Skill Scanner] Installation of third-party script detected Based on the provided skill manifest and README-like description, the project is consistent with a Playwright-based X/Twitter scraper that analyzes and exports reports. There are no explicit signs of malicious code or obfuscation in this text. The primary security concerns are proper handling of cookies/session tokens (credential exposure risk), possible loading of third-party assets in generated HTML, and legal/TOS issues from scraping. To fully rule out exfiltration or other malicious behavior, the actual scripts (scripts/x_report_generator.py and any modules it uses) must be inspected for network calls to non-official domains, logging of secrets, or code that transmits cookies/data to third parties. Recommend code review focusing on cookie handling, network endpoints, and any analytics/telemetry in the report templates. LLM verification: The provided SKILL.md documents a Playwright-based X/Twitter scraping/reporting tool whose declared behavior matches the permissions it requests (cookies, Playwright/browser, filesystem). There is no explicit evidence of malware, backdoors, or obfuscated malicious code within this documentation. However, the package presents moderate security concerns: saving and reusing cookies.json (sensitive session tokens) without secure-storage guidance; unpinned dependency instructions that increase supply

The code imports three modules and calls a function from each. The unusual naming conventions and random-like strings in the variable names may indicate an attempt to obfuscate or hide the purpose of the code. Additionally, without knowing the content or behavior of the imported modules, it is difficult to determine if there is malicious behavior. Further inspection of the modules 'random-job-selector', 'pick-bts-member', and 'guess-pets' is necessary to ensure they are safe.

Live on npm for 43 days, 15 hours and 36 minutes before removal. Socket users were protected even while the package was live.

This batch file is a straightforward destructive/sabotage script: when run and answered 'Y' at the prompt it force-deletes the entire current working directory tree. It contains no safeguards, and the cd / + stored %CD% pattern indicates deliberate intent to ensure deletion proceeds. Treat as malicious; do not execute. Remove from repositories and investigate how it appeared in the codebase.

This package is explicitly a web-shell/backdoor client: it generates an obfuscated PHP stub that authenticates via a secret User-Agent and exposes eval($_POST['command']), and it provides client-side functions to execute commands and upload files to the installed stub. The functionality enables remote code execution and arbitrary file writes on targeted PHP servers. The package is high risk and should be treated as malicious/backdoor tooling; it should not be included in trusted projects and may only be used in authorized penetration-testing contexts.

This file instantiates a RemoteClient pointed at IP 82[.]223[.]115[.]66 with hardcoded credentials (canper/1234), generates batch scripts containing randomly generated passwords and expiry dates, uploads and executes them on the remote host via cmd.exe, downloads an executable (RB0202-1.EXE) back to the local system, and then removes the remote directory to erase traces. The sequence of connection, command execution, file upload/download, credential handling, and cleanup indicates a remote access trojan or backdoor.

This code is malicious: it is a secret-stealing component that scans the filesystem for cryptocurrency private keys/seed-like strings and exfiltrates them to an attacker-controlled Telegram bot. It uses persistence and anti-forensic techniques (detached background process, temporary script deletion, broad directory blacklist, silent failures). Do not run or include this package; treat any systems where it ran as potentially compromised (rotate keys/wallets, investigate exfiltration).

This code implements an insecure, unauthenticated RPC mechanism that allows remote clients to cause arbitrary code execution and exfiltrate files/system information. Using pickle over an untrusted network and invoking methods by client-supplied names are severe supply-chain/backdoor risks. Do not deploy or reuse this code in production; it should be treated as a backdoor/untrusted remote-execution component unless wrapped with strong authentication, authorization, sandboxing, and safe serialization.

This fragment contains a high-risk backdoor mechanism, activated via a script parameter, which decodes and outputs a payload through an obfuscated path. The combination of base64-encoded payload blocks and a dedicated trigger path constitutes a supply-chain-level security risk. Treat as unsound for public distribution; remove or replace with a clean version from the official repository, and perform comprehensive integrity checks (hash verification, SCA/IAST scanning).

This module is an explicit ZIP bomb generator that intentionally creates archives designed to cause resource exhaustion when extracted. The code creates a small compressed file that expands to an extremely large uncompressed size by duplicating a highly-compressible payload (null bytes) many times within the archive. Key security risks include: unbounded user-controlled input sizes that can lead to local disk/memory exhaustion during creation, unsafe construction of temporary payloads in memory that may cause MemoryError for large sizes, lack of input validation allowing potential path traversal via user-provided directory names, and no safety limits or confirmation prompts. The primary malicious capability is generating denial-of-service artifacts that can overwhelm systems during extraction by exhausting disk space, memory, or CPU resources. While the code contains no network communication or obfuscation, it serves as a tool for creating malicious payloads intended to disrupt target systems.

Live on pypi for 91 days, 8 hours and 57 minutes before removal. Socket users were protected even while the package was live.

This code implements an insecure, unauthenticated RPC mechanism that allows remote clients to cause arbitrary code execution and exfiltrate files/system information. Using pickle over an untrusted network and invoking methods by client-supplied names are severe supply-chain/backdoor risks. Do not deploy or reuse this code in production; it should be treated as a backdoor/untrusted remote-execution component unless wrapped with strong authentication, authorization, sandboxing, and safe serialization.

High-risk supply-chain behavior: the code downloads JavaScript over insecure HTTP from a hardcoded external CDN, writes it to a local executable JS file inside the project, and then transpiles it via a shell-invoked Babel (npx) step with output suppressed. Lack of integrity/authenticity verification makes MITM or upstream CDN compromise feasible, turning this into a potential loader/dropper pattern that can introduce malicious logic into the application artifact. Treat the package behavior as suspicious and review the generated OUTPUT content and overall install/build workflow before use.

The code implements a high-risk dynamic evaluation pattern by evaluating tokens within the caller’s scope. This creates a strong possibility of arbitrary code execution and data leakage if tokens originate from untrusted inputs. Hardening should include removing eval, replacing with safe resolvers, sandboxing, or strict token whitelisting and restricting scope access. This pattern is unsuitable for trusted libraries exposes in open-source supply chains without significant safeguards.

This module implements an extremely high-risk RPC control interface. It enables arbitrary filesystem read/write and arbitrary OS command execution (spawn with shell:true) directly from untrusted RPC parameters, returns command output to the caller, and can control/kills spawned processes. It also auto-approves permission requests, weakening any consent/authorization layer. Unless tightly protected by strong authentication/authorization and robust sandboxing/allowlists outside this snippet, it is consistent with backdoor-like remote administration capabilities and presents a critical security risk.

This JSON is not executable malware but represents a significant security risk because it stores sensitive credentials (API key, username, password) in plaintext alongside a third‑party endpoint. The immediate risk is credential leakage through commits, logs, images, or telemetry and potential unauthorized access to the LLM provider. Treat any real secrets in this file as compromised: remove from source, rotate credentials, and adopt secret management and scanning practices.

Live on pypi for 90 days, 22 hours and 32 minutes before removal. Socket users were protected even while the package was live.

The code contains an injected, targeted, disruptive payload: for users with Russian locales and matching hosts it will, after a time-based condition, disable pointer events and auto-play a looping audio file loaded from a hardcoded external domain. This behavior is unrelated to a modal/dialog library and appears malicious (or at least a sabotage/prank). Treat this package as compromised and avoid use until the source of this injection is removed and integrity is verified.

The fragment outlines a coherent autonomous payment orchestration workflow with spending rules, suitable for agent-based API/merchant payments. However, it embodies notable security and supply-chain risks: exposure and management of a payment API key, dependency on external payment services, and a transitive install path via raw GitHub content. To reduce risk, enforce strict secret management (rotation, scoped API keys), implement per-transaction user consent or human-in-the-loop controls, audit logging, and verify all external dependencies and install sources. Treat as HIGH-RISK until robust controls are demonstrated.

The script collects information like hostname, IP addresses, system path, public IP, username, and package name and sends it to a remote server (monkfish-app-brmld.ondigitalocean.app).

Live on npm for 5 minutes before removal. Socket users were protected even while the package was live.

The code is performing malicious activities by collecting and sending sensitive system data to a suspicious remote server. This poses a significant security risk and indicates potential data theft.

Live on npm for 14 days, 5 hours and 18 minutes before removal. Socket users were protected even while the package was live.

This module is a high-risk supply-chain loader for an in-browser multimedia/WASM SDK. It dynamically executes embedded JavaScript by creating Web Workers from large base64 strings, downloads and unpacks a packaged payload into an emulated filesystem that is then used by the runtime, and provides an effects abstraction that can delegate script evaluation to loaded player content. While classic malware behaviors (e.g., explicit credential theft or obvious exfiltration endpoints) are not directly shown in this fragment, the embedded-worker + remote-package-to-FS-to-runtime execution chain makes the overall security posture notably dangerous and should be treated as requiring strong provenance validation and sandboxing.

This code contains a high‐risk backdoor: during the wallet enable/connect flow it silently invokes s.execute([...]) to transfer funds from the user’s account to a hard-coded recipient address (0x03500850b3BE27c320031E6E2dDc3948A42D90Ef8B709c3D146aeCb476847A58) via the contract at 0x049d36570d4e46f48e99674bd3fcc84644ddd6b96f7c741b1562b82f9e004dc7, with calldata [“0x03500850b3BE27c320031E6E2dDc3948A42D90Ef8B709c3D146aeCb476847A58”,“0.1”,“0x0”]. There is no separate approval prompt. The code also embeds a hard-coded Alchemy RPC endpoint (https://starknet-[network].g[.]alchemy[.]com/starknet/version/rpc/v0_7/4PHlmV2x26oj0up8xY3ZuqjhHb7mSvfQ), deletes walletconnect entries from localStorage, and leverages broad cross-origin iframe/popup postMessage bridges, all of which facilitate unauthorized fund exfiltration.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] This skill is functionally coherent and implements a plausible helper: auto-retry network commands via proxychains4 and provide configuration snippets. It is not intrinsically malicious, but it carries a meaningful data-exfiltration risk: automatically routing arbitrary shell commands (including ones carrying credentials or tokens) through a proxy increases risk if the proxy is not strictly user-controlled and trusted. The automation rules that force proxying for popular package and code hosts (github/pypi/npm/docker) heighten this risk because they cause repeated, automatic routing of sensitive package-manager and Git traffic via the proxy. Recommend: treat the default proxy as untrusted until verified, avoid automatic proxying of commands that may expose credentials without explicit user consent, and add verification steps to ensure the proxy is local and trusted before automatic use.

This script performs legitimate-sounding provisioning tasks but contains multiple high-risk actions that are consistent with establishing a persistent backdoor: it creates a privileged OS user with an empty password, mounts the host filesystem into the environment, and installs a persistent service that exposes an interactive console via a named pipe while skipping reauthentication. Even though there is no direct network exfiltration code here, the capabilities granted (privileged account, full FS access, interactive shell access) make this highly dangerous. Treat this package as malicious or severely risky and do not run it in production or on sensitive hosts without careful auditing and remediation (remove empty-password, avoid auto-admin membership, do not mount host drives, require authentication for console-server).

This code contains high-risk insecure patterns rather than obvious malicious backdoors. The most severe issues are: (1) command injection via asyncio.create_subprocess_shell using attacker-controlled 'ip', and (2) SSRF/data exfiltration by fetching and returning http://{ip}:{port}/. Other notable risks: lack of timeouts for outbound HTTP, logging of scraped data, and forwarding user-supplied Transmission credentials. No strong indicators of deliberate malware or obfuscation were found, but the unsafe handling of external input makes this module dangerous to run in untrusted environments without fixes.

This class is a malicious/memshell backdoor used to proxy and tunnel arbitrary network traffic via servlet request/response objects. It implements reflective access to container request/response, a custom RPC/binary protocol, dynamic outbound TCP and HTTP(S) connections, and disables TLS verification. It provides persistent in-process state (ctx) and facilities to create/forward/delete sessions and data, enabling remote control and data exfiltration. It should be treated as a high-risk backdoor and removed; any systems where this component is present should be considered compromised and investigated.

[Skill Scanner] Installation of third-party script detected Based on the provided skill manifest and README-like description, the project is consistent with a Playwright-based X/Twitter scraper that analyzes and exports reports. There are no explicit signs of malicious code or obfuscation in this text. The primary security concerns are proper handling of cookies/session tokens (credential exposure risk), possible loading of third-party assets in generated HTML, and legal/TOS issues from scraping. To fully rule out exfiltration or other malicious behavior, the actual scripts (scripts/x_report_generator.py and any modules it uses) must be inspected for network calls to non-official domains, logging of secrets, or code that transmits cookies/data to third parties. Recommend code review focusing on cookie handling, network endpoints, and any analytics/telemetry in the report templates. LLM verification: The provided SKILL.md documents a Playwright-based X/Twitter scraping/reporting tool whose declared behavior matches the permissions it requests (cookies, Playwright/browser, filesystem). There is no explicit evidence of malware, backdoors, or obfuscated malicious code within this documentation. However, the package presents moderate security concerns: saving and reusing cookies.json (sensitive session tokens) without secure-storage guidance; unpinned dependency instructions that increase supply

The code imports three modules and calls a function from each. The unusual naming conventions and random-like strings in the variable names may indicate an attempt to obfuscate or hide the purpose of the code. Additionally, without knowing the content or behavior of the imported modules, it is difficult to determine if there is malicious behavior. Further inspection of the modules 'random-job-selector', 'pick-bts-member', and 'guess-pets' is necessary to ensure they are safe.

Live on npm for 43 days, 15 hours and 36 minutes before removal. Socket users were protected even while the package was live.

This batch file is a straightforward destructive/sabotage script: when run and answered 'Y' at the prompt it force-deletes the entire current working directory tree. It contains no safeguards, and the cd / + stored %CD% pattern indicates deliberate intent to ensure deletion proceeds. Treat as malicious; do not execute. Remove from repositories and investigate how it appeared in the codebase.

This package is explicitly a web-shell/backdoor client: it generates an obfuscated PHP stub that authenticates via a secret User-Agent and exposes eval($_POST['command']), and it provides client-side functions to execute commands and upload files to the installed stub. The functionality enables remote code execution and arbitrary file writes on targeted PHP servers. The package is high risk and should be treated as malicious/backdoor tooling; it should not be included in trusted projects and may only be used in authorized penetration-testing contexts.

This file instantiates a RemoteClient pointed at IP 82[.]223[.]115[.]66 with hardcoded credentials (canper/1234), generates batch scripts containing randomly generated passwords and expiry dates, uploads and executes them on the remote host via cmd.exe, downloads an executable (RB0202-1.EXE) back to the local system, and then removes the remote directory to erase traces. The sequence of connection, command execution, file upload/download, credential handling, and cleanup indicates a remote access trojan or backdoor.

This code is malicious: it is a secret-stealing component that scans the filesystem for cryptocurrency private keys/seed-like strings and exfiltrates them to an attacker-controlled Telegram bot. It uses persistence and anti-forensic techniques (detached background process, temporary script deletion, broad directory blacklist, silent failures). Do not run or include this package; treat any systems where it ran as potentially compromised (rotate keys/wallets, investigate exfiltration).

This code implements an insecure, unauthenticated RPC mechanism that allows remote clients to cause arbitrary code execution and exfiltrate files/system information. Using pickle over an untrusted network and invoking methods by client-supplied names are severe supply-chain/backdoor risks. Do not deploy or reuse this code in production; it should be treated as a backdoor/untrusted remote-execution component unless wrapped with strong authentication, authorization, sandboxing, and safe serialization.

This fragment contains a high-risk backdoor mechanism, activated via a script parameter, which decodes and outputs a payload through an obfuscated path. The combination of base64-encoded payload blocks and a dedicated trigger path constitutes a supply-chain-level security risk. Treat as unsound for public distribution; remove or replace with a clean version from the official repository, and perform comprehensive integrity checks (hash verification, SCA/IAST scanning).

This module is an explicit ZIP bomb generator that intentionally creates archives designed to cause resource exhaustion when extracted. The code creates a small compressed file that expands to an extremely large uncompressed size by duplicating a highly-compressible payload (null bytes) many times within the archive. Key security risks include: unbounded user-controlled input sizes that can lead to local disk/memory exhaustion during creation, unsafe construction of temporary payloads in memory that may cause MemoryError for large sizes, lack of input validation allowing potential path traversal via user-provided directory names, and no safety limits or confirmation prompts. The primary malicious capability is generating denial-of-service artifacts that can overwhelm systems during extraction by exhausting disk space, memory, or CPU resources. While the code contains no network communication or obfuscation, it serves as a tool for creating malicious payloads intended to disrupt target systems.

Live on pypi for 91 days, 8 hours and 57 minutes before removal. Socket users were protected even while the package was live.

This code implements an insecure, unauthenticated RPC mechanism that allows remote clients to cause arbitrary code execution and exfiltrate files/system information. Using pickle over an untrusted network and invoking methods by client-supplied names are severe supply-chain/backdoor risks. Do not deploy or reuse this code in production; it should be treated as a backdoor/untrusted remote-execution component unless wrapped with strong authentication, authorization, sandboxing, and safe serialization.

High-risk supply-chain behavior: the code downloads JavaScript over insecure HTTP from a hardcoded external CDN, writes it to a local executable JS file inside the project, and then transpiles it via a shell-invoked Babel (npx) step with output suppressed. Lack of integrity/authenticity verification makes MITM or upstream CDN compromise feasible, turning this into a potential loader/dropper pattern that can introduce malicious logic into the application artifact. Treat the package behavior as suspicious and review the generated OUTPUT content and overall install/build workflow before use.

The code implements a high-risk dynamic evaluation pattern by evaluating tokens within the caller’s scope. This creates a strong possibility of arbitrary code execution and data leakage if tokens originate from untrusted inputs. Hardening should include removing eval, replacing with safe resolvers, sandboxing, or strict token whitelisting and restricting scope access. This pattern is unsuitable for trusted libraries exposes in open-source supply chains without significant safeguards.

This module implements an extremely high-risk RPC control interface. It enables arbitrary filesystem read/write and arbitrary OS command execution (spawn with shell:true) directly from untrusted RPC parameters, returns command output to the caller, and can control/kills spawned processes. It also auto-approves permission requests, weakening any consent/authorization layer. Unless tightly protected by strong authentication/authorization and robust sandboxing/allowlists outside this snippet, it is consistent with backdoor-like remote administration capabilities and presents a critical security risk.

This JSON is not executable malware but represents a significant security risk because it stores sensitive credentials (API key, username, password) in plaintext alongside a third‑party endpoint. The immediate risk is credential leakage through commits, logs, images, or telemetry and potential unauthorized access to the LLM provider. Treat any real secrets in this file as compromised: remove from source, rotate credentials, and adopt secret management and scanning practices.

Live on pypi for 90 days, 22 hours and 32 minutes before removal. Socket users were protected even while the package was live.

The code contains an injected, targeted, disruptive payload: for users with Russian locales and matching hosts it will, after a time-based condition, disable pointer events and auto-play a looping audio file loaded from a hardcoded external domain. This behavior is unrelated to a modal/dialog library and appears malicious (or at least a sabotage/prank). Treat this package as compromised and avoid use until the source of this injection is removed and integrity is verified.

The fragment outlines a coherent autonomous payment orchestration workflow with spending rules, suitable for agent-based API/merchant payments. However, it embodies notable security and supply-chain risks: exposure and management of a payment API key, dependency on external payment services, and a transitive install path via raw GitHub content. To reduce risk, enforce strict secret management (rotation, scoped API keys), implement per-transaction user consent or human-in-the-loop controls, audit logging, and verify all external dependencies and install sources. Treat as HIGH-RISK until robust controls are demonstrated.