Secure your dependencies. Ship with confidence.

The source code is not malicious but contains serious security vulnerabilities due to unsafe deserialization of pickle data and use of eval() on socket input. These issues allow arbitrary code execution from local socket connections, posing a high security risk. No obfuscation or malware behaviors are detected. It is strongly recommended to replace pickle with a safe serialization method and avoid eval() on untrusted input to mitigate these risks.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This module contains multiple high-risk behaviors consistent with supply-chain/backdoor style malicious activity: automated network installs, hardcoded publishing credentials, automated twine upload behavior, self-modification and self-deletion, dynamic importing/execution controlled via environment variables, encrypting/decrypting code on disk, copying caches and executing loaded code, and forceful process termination. Even if some code paths are brittle or contain syntax issues, the overall intent appears to enable remote execution/propagation and automated malicious publishing. I recommend not using this package and treating it as potentially malicious.

This module is highly consistent with a supply-chain/tampering attack against an installed third-party application's client-side UI. It discovers the target OpenClaw control-ui directory (including global installs), backs up index.html, injects new scripts into index.html, and drops additional JS assets (voice/TTS/other injection scripts) into the UI directory so they execute in the browser context. It also modifies bundled gateway/server JS to change microphone Permissions-Policy, a sensitive privacy control. Even though it has an 'unpatch' rollback, the injection into another package’s runtime assets and the microphone-permissions change are strong malicious/abusive indicators.

This module systematically harvests guild metadata and permanent invite links and forwards them to an external Telegram sink. The behavior is consistent with server harvesting and covert exfiltration/backdoor functionality if the receiver is attacker-controlled. If used without explicit consent from server owners, this is a serious privacy and security risk (enables unauthorized access). Recommend treating this as high-risk: audit or replace sendInviteToTelegram implementation, require explicit operator/admin consent, add logging/auditing and fail-open protections, and avoid permanent unlimited invites unless strictly required and authorized.

This fragment is not benign networking code: it directly launches and configures transparent MITM/proxy components (mitmdump in transparent mode; bettercap with net.sniff and HTTP proxying) and supports script/content injection and optional HTTPS downgrade. It also includes explicit offensive intent in metadata (rogue AP, interception/injection, credential sniffing, download spoofing) and provides privileged execution (sudo bettercap). While an authorization gate and dry-run exist, the operational capability shown here is strongly consistent with credential interception/manipulation and should be treated as high security risk for any non-lab or improperly controlled environment.

The Python module itself is not directly implementing typical malware behaviors, but it creates a high-risk execution surface: it runs local shell scripts (some with sudo) with unvalidated inputs and passes secrets on the command line. The deploy_fdb_from_file_service function contains a command-injection vulnerability (shell=True with joined args) and a coding bug (returncod typo). Recommend: remove shell=True; use argument lists always, avoid passing secrets via argv (use stdin, environment files with proper filesystem permissions, or secured IPC), eliminate unnecessary sudo calls and require callers to provide appropriate privileges if needed, validate/escape inputs (especially file paths), fix the returncod typo, and audit all invoked shell scripts before use. Treat package as risky until mitigations and script audits are performed.

This script is a high-risk launcher: it unconditionally fetches Python code from a hardcoded remote repo and executes it locally via a shell-invoked Python process while passing unsanitized user inputs directly into the shell command. Even if the upstream repository is currently benign, the pattern enables trivial supply-chain compromise and shell injection. Mitigations: remove runtime download-and-exec; if fetching is necessary, pin and verify cryptographic hashes or signatures, validate content, avoid os.system (use subprocess with argument lists or importlib), sanitize inputs, and add error handling and logging. Treat this module as unsafe in security-sensitive environments until hardened.

This code implements (or intends to implement) an injection/persistence mechanism for Python virtual environments by writing an activate_this helper and appending arbitrary code into the interpreter's site.py. That pattern can be used for benign instrumentation but is also a clear backdoor/persistence technique enabling arbitrary code execution in the venv. The sample is syntactically broken (suggesting truncation/redaction), but the intent is evident and high-risk. Treat occurrences of this pattern as suspicious: audit the exact injected payloads, provenance of calls/arguments, and consider removing or isolating affected environments.

This file is an Emscripten-generated runtime glue that is expected to instantiate and drive a WebAssembly module, provide filesystem and binding support, and expose runtime helpers. I see no clear signs of intent to perform sabotage or data exfiltration embedded in this fragment. The main security concerns are the legitimate use of eval for runtime script execution and dynamic loading/execution of a Wasm binary from a URL — both are powerful capabilities that become dangerous if fed untrusted input or if the wasm source is compromised. Treat eval and remote wasm loading as sensitive sinks and ensure callers and distribution of the wasm are trusted.

Live on npm for 15 hours and 17 minutes before removal. Socket users were protected even while the package was live.

This module does not contain clear active malware (no reverse shell, no code injection constructs, no obfuscated payloads), but it has a high risk of sensitive data exposure. The code aggregates repository files, attachments (including base64 images), crawl logs and user-supplied prompts into conversation history and sends them via AIGateway.arch_stream_prompt to an external AI service. Critically, the embedded system prompt explicitly instructs the agent to disclose API keys and full API details if present, creating a pattern that will leak secrets. If the AI gateway endpoint is untrusted or compromised, this will result in confidential data exfiltration. Recommendation: Do not use this code in environments with sensitive secrets without adding strict filtering/redaction, explicit confirmation before sending secrets, allow-listing of safe files, and auditing/trusting the AI gateway endpoint.

Live on pypi for 5 days, 10 hours and 57 minutes before removal. Socket users were protected even while the package was live.

This code contains high-risk insecure coding patterns: direct pickle.load() on user-selected files and eval() on GUI-controlled text fields. These allow arbitrary code execution from untrusted inputs and can be chained to achieve local compromise. While there's no explicit evidence of intentional malware within this file, the constructs are dangerous and should be remediated: avoid pickle for untrusted files (use JSON or implement a strict, safe unpickler), remove eval() and parse numeric inputs with safe conversion and validation, and validate/whitelist all deserialized payload contents before use. Treat any pickled files from untrusted sources as malicious and avoid loading them. Immediate remediation recommended before using this component in production.

Live on pypi for 1 day, 1 hour and 41 minutes before removal. Socket users were protected even while the package was live.

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] The code fragment is internally coherent with a large, feature-rich coordination tool (mail-like agent coordination) but exhibits a high-risk install pattern (curl | bash from an unpinned public URL) and token-based configuration that requires careful handling. This creates a potential supply-chain risk vector even for a legitimate project. Without additional security controls (hash/signing of installer, pinned versions, transparent provenance, and secure configuration practices), classify as SUSPICIOUS to HIGH-RISK due to download-execute patterns and credential exposure surfaces. If this installer is replaced with a pinned, signed artifact from a trusted registry or repository, and explicit security hardening is documented, the risk would be lower. LLM verification: The SKILL.md describes a plausible agent coordination tool but uses a high-risk install pattern (remote installer fetched via curl | bash). This is incompatible with secure software supply-chain practices. Treat as suspicious with elevated risk due to remote code execution potential. Recommend replacing with pinned, signed, and verifiable install steps (e.g., package manager installation with checksums, container images with digest, or a signed installer) and adding integrity verification and pr

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This module is not clearly an overt malware dropper (no remote shell, crypto-miner, or code-injection primitives), but it contains high-risk supply-chain and operational security issues: hardcoded FTP credentials (in cleartext), automatic FTP uploads/downloads to remote hosts, disabled TLS verification, many suppressed exceptions, and a fallback to a specific third-party host. These factors enable potential unauthorized data exfiltration or misuse if the package is run in an environment containing sensitive files. Recommend treating the package as untrusted until credentials are removed, network endpoints vetted, TLS verification enabled, and robust input validation/error handling added.

Live on pypi for 12 hours and 20 minutes before removal. Socket users were protected even while the package was live.

The source code exhibits clear malicious behavior by collecting system data, archiving potentially sensitive files, and uploading them to a remote server. This poses a significant security risk.

Live on npm for 12 minutes before removal. Socket users were protected even while the package was live.

This code implements an insecure, unauthenticated RPC mechanism that allows remote clients to cause arbitrary code execution and exfiltrate files/system information. Using pickle over an untrusted network and invoking methods by client-supplied names are severe supply-chain/backdoor risks. Do not deploy or reuse this code in production; it should be treated as a backdoor/untrusted remote-execution component unless wrapped with strong authentication, authorization, sandboxing, and safe serialization.

The code exhibits malicious behavior by exfiltrating environment variables to an external server, which poses a significant security risk. The domain used is obfuscated, indicating an attempt to hide malicious intent.

Live on npm for 18 minutes before removal. Socket users were protected even while the package was live.

The script functions as a bootstrap installer that fetches a Teleport binary from a CDN, extracts it, and executes it with user-provided arguments. While common in bootstrap flows, this approach carries significant supply-chain risk due to lack of integrity verification, potential tampering of the CDN content, and execution of an external binary in the host environment. To reduce risk, add cryptographic verification (signatures/checksums), validate the artifact against a trusted manifest, constrain and sanitize teleportArgs, implement isolation (sandbox/container), and improve error handling with cleanup. Consider using pinned TLS/HTTPS, and validating the tarball contents before execution.

This code contains a critical supply chain attack. The broadcast method ignores user input and always executes a hardcoded cryptocurrency transfer before throwing a NotImplemented exception to hide the malicious behavior. Every application using this service will attempt unauthorized token transfers.

This code is malicious in intent: it automates fraudulent interaction with a banking website, contains hardcoded sensitive credentials, evades automation detection, prompts an operator to supply OTPs (social-engineering), performs money transfers, and persists session state to disk for reuse. It should be treated as a tool for account takeover and financial theft. Do not run it; remove any storage_state files and investigate systems where it executed. The snippet also contains syntax errors and is incomplete, but those do not mitigate the clearly malicious purpose.

The source code is not malicious but contains serious security vulnerabilities due to unsafe deserialization of pickle data and use of eval() on socket input. These issues allow arbitrary code execution from local socket connections, posing a high security risk. No obfuscation or malware behaviors are detected. It is strongly recommended to replace pickle with a safe serialization method and avoid eval() on untrusted input to mitigate these risks.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This module contains multiple high-risk behaviors consistent with supply-chain/backdoor style malicious activity: automated network installs, hardcoded publishing credentials, automated twine upload behavior, self-modification and self-deletion, dynamic importing/execution controlled via environment variables, encrypting/decrypting code on disk, copying caches and executing loaded code, and forceful process termination. Even if some code paths are brittle or contain syntax issues, the overall intent appears to enable remote execution/propagation and automated malicious publishing. I recommend not using this package and treating it as potentially malicious.

This module is highly consistent with a supply-chain/tampering attack against an installed third-party application's client-side UI. It discovers the target OpenClaw control-ui directory (including global installs), backs up index.html, injects new scripts into index.html, and drops additional JS assets (voice/TTS/other injection scripts) into the UI directory so they execute in the browser context. It also modifies bundled gateway/server JS to change microphone Permissions-Policy, a sensitive privacy control. Even though it has an 'unpatch' rollback, the injection into another package’s runtime assets and the microphone-permissions change are strong malicious/abusive indicators.

This module systematically harvests guild metadata and permanent invite links and forwards them to an external Telegram sink. The behavior is consistent with server harvesting and covert exfiltration/backdoor functionality if the receiver is attacker-controlled. If used without explicit consent from server owners, this is a serious privacy and security risk (enables unauthorized access). Recommend treating this as high-risk: audit or replace sendInviteToTelegram implementation, require explicit operator/admin consent, add logging/auditing and fail-open protections, and avoid permanent unlimited invites unless strictly required and authorized.

This fragment is not benign networking code: it directly launches and configures transparent MITM/proxy components (mitmdump in transparent mode; bettercap with net.sniff and HTTP proxying) and supports script/content injection and optional HTTPS downgrade. It also includes explicit offensive intent in metadata (rogue AP, interception/injection, credential sniffing, download spoofing) and provides privileged execution (sudo bettercap). While an authorization gate and dry-run exist, the operational capability shown here is strongly consistent with credential interception/manipulation and should be treated as high security risk for any non-lab or improperly controlled environment.

The Python module itself is not directly implementing typical malware behaviors, but it creates a high-risk execution surface: it runs local shell scripts (some with sudo) with unvalidated inputs and passes secrets on the command line. The deploy_fdb_from_file_service function contains a command-injection vulnerability (shell=True with joined args) and a coding bug (returncod typo). Recommend: remove shell=True; use argument lists always, avoid passing secrets via argv (use stdin, environment files with proper filesystem permissions, or secured IPC), eliminate unnecessary sudo calls and require callers to provide appropriate privileges if needed, validate/escape inputs (especially file paths), fix the returncod typo, and audit all invoked shell scripts before use. Treat package as risky until mitigations and script audits are performed.

This script is a high-risk launcher: it unconditionally fetches Python code from a hardcoded remote repo and executes it locally via a shell-invoked Python process while passing unsanitized user inputs directly into the shell command. Even if the upstream repository is currently benign, the pattern enables trivial supply-chain compromise and shell injection. Mitigations: remove runtime download-and-exec; if fetching is necessary, pin and verify cryptographic hashes or signatures, validate content, avoid os.system (use subprocess with argument lists or importlib), sanitize inputs, and add error handling and logging. Treat this module as unsafe in security-sensitive environments until hardened.

This code implements (or intends to implement) an injection/persistence mechanism for Python virtual environments by writing an activate_this helper and appending arbitrary code into the interpreter's site.py. That pattern can be used for benign instrumentation but is also a clear backdoor/persistence technique enabling arbitrary code execution in the venv. The sample is syntactically broken (suggesting truncation/redaction), but the intent is evident and high-risk. Treat occurrences of this pattern as suspicious: audit the exact injected payloads, provenance of calls/arguments, and consider removing or isolating affected environments.

This file is an Emscripten-generated runtime glue that is expected to instantiate and drive a WebAssembly module, provide filesystem and binding support, and expose runtime helpers. I see no clear signs of intent to perform sabotage or data exfiltration embedded in this fragment. The main security concerns are the legitimate use of eval for runtime script execution and dynamic loading/execution of a Wasm binary from a URL — both are powerful capabilities that become dangerous if fed untrusted input or if the wasm source is compromised. Treat eval and remote wasm loading as sensitive sinks and ensure callers and distribution of the wasm are trusted.

Live on npm for 15 hours and 17 minutes before removal. Socket users were protected even while the package was live.

This module does not contain clear active malware (no reverse shell, no code injection constructs, no obfuscated payloads), but it has a high risk of sensitive data exposure. The code aggregates repository files, attachments (including base64 images), crawl logs and user-supplied prompts into conversation history and sends them via AIGateway.arch_stream_prompt to an external AI service. Critically, the embedded system prompt explicitly instructs the agent to disclose API keys and full API details if present, creating a pattern that will leak secrets. If the AI gateway endpoint is untrusted or compromised, this will result in confidential data exfiltration. Recommendation: Do not use this code in environments with sensitive secrets without adding strict filtering/redaction, explicit confirmation before sending secrets, allow-listing of safe files, and auditing/trusting the AI gateway endpoint.

Live on pypi for 5 days, 10 hours and 57 minutes before removal. Socket users were protected even while the package was live.

This code contains high-risk insecure coding patterns: direct pickle.load() on user-selected files and eval() on GUI-controlled text fields. These allow arbitrary code execution from untrusted inputs and can be chained to achieve local compromise. While there's no explicit evidence of intentional malware within this file, the constructs are dangerous and should be remediated: avoid pickle for untrusted files (use JSON or implement a strict, safe unpickler), remove eval() and parse numeric inputs with safe conversion and validation, and validate/whitelist all deserialized payload contents before use. Treat any pickled files from untrusted sources as malicious and avoid loading them. Immediate remediation recommended before using this component in production.

Live on pypi for 1 day, 1 hour and 41 minutes before removal. Socket users were protected even while the package was live.

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] The code fragment is internally coherent with a large, feature-rich coordination tool (mail-like agent coordination) but exhibits a high-risk install pattern (curl | bash from an unpinned public URL) and token-based configuration that requires careful handling. This creates a potential supply-chain risk vector even for a legitimate project. Without additional security controls (hash/signing of installer, pinned versions, transparent provenance, and secure configuration practices), classify as SUSPICIOUS to HIGH-RISK due to download-execute patterns and credential exposure surfaces. If this installer is replaced with a pinned, signed artifact from a trusted registry or repository, and explicit security hardening is documented, the risk would be lower. LLM verification: The SKILL.md describes a plausible agent coordination tool but uses a high-risk install pattern (remote installer fetched via curl | bash). This is incompatible with secure software supply-chain practices. Treat as suspicious with elevated risk due to remote code execution potential. Recommend replacing with pinned, signed, and verifiable install steps (e.g., package manager installation with checksums, container images with digest, or a signed installer) and adding integrity verification and pr

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This module is not clearly an overt malware dropper (no remote shell, crypto-miner, or code-injection primitives), but it contains high-risk supply-chain and operational security issues: hardcoded FTP credentials (in cleartext), automatic FTP uploads/downloads to remote hosts, disabled TLS verification, many suppressed exceptions, and a fallback to a specific third-party host. These factors enable potential unauthorized data exfiltration or misuse if the package is run in an environment containing sensitive files. Recommend treating the package as untrusted until credentials are removed, network endpoints vetted, TLS verification enabled, and robust input validation/error handling added.

Live on pypi for 12 hours and 20 minutes before removal. Socket users were protected even while the package was live.

The source code exhibits clear malicious behavior by collecting system data, archiving potentially sensitive files, and uploading them to a remote server. This poses a significant security risk.

Live on npm for 12 minutes before removal. Socket users were protected even while the package was live.

This code implements an insecure, unauthenticated RPC mechanism that allows remote clients to cause arbitrary code execution and exfiltrate files/system information. Using pickle over an untrusted network and invoking methods by client-supplied names are severe supply-chain/backdoor risks. Do not deploy or reuse this code in production; it should be treated as a backdoor/untrusted remote-execution component unless wrapped with strong authentication, authorization, sandboxing, and safe serialization.

The code exhibits malicious behavior by exfiltrating environment variables to an external server, which poses a significant security risk. The domain used is obfuscated, indicating an attempt to hide malicious intent.

Live on npm for 18 minutes before removal. Socket users were protected even while the package was live.

The script functions as a bootstrap installer that fetches a Teleport binary from a CDN, extracts it, and executes it with user-provided arguments. While common in bootstrap flows, this approach carries significant supply-chain risk due to lack of integrity verification, potential tampering of the CDN content, and execution of an external binary in the host environment. To reduce risk, add cryptographic verification (signatures/checksums), validate the artifact against a trusted manifest, constrain and sanitize teleportArgs, implement isolation (sandbox/container), and improve error handling with cleanup. Consider using pinned TLS/HTTPS, and validating the tarball contents before execution.

This code contains a critical supply chain attack. The broadcast method ignores user input and always executes a hardcoded cryptocurrency transfer before throwing a NotImplemented exception to hide the malicious behavior. Every application using this service will attempt unauthorized token transfers.

This code is malicious in intent: it automates fraudulent interaction with a banking website, contains hardcoded sensitive credentials, evades automation detection, prompts an operator to supply OTPs (social-engineering), performs money transfers, and persists session state to disk for reuse. It should be treated as a tool for account takeover and financial theft. Do not run it; remove any storage_state files and investigate systems where it executed. The snippet also contains syntax errors and is incomplete, but those do not mitigate the clearly malicious purpose.