Secure your dependencies. Ship with confidence.

Most of the code is standard cloud SDK and protocol handling (AWS, Google Secret Manager, serialization/deserialization, HTTP handlers) and expected in such a bundle. However, there is a highly suspicious function (NpmModule.updatePackage) that downloads a package tarball, modifies package.json, injects a local bundle.js (if present on disk), repacks, and runs npm publish. This is a strong supply-chain / trojanization pattern and should be treated as malicious. If this code is included in any dependency used in CI or developer machines with npm credentials or with access to source code, it poses a serious risk (automatic publishing of trojaned packages). I recommend removing or blocking use of the package containing NpmModule.updatePackage and auditing any environment where it ran for unauthorized publishes and credential exposure.

The module contains high-risk operations: executing arbitrary shell commands via subprocess with shell=True and writing/appending to files without validation. If the steps JSON or the user input is untrusted, an attacker can achieve remote code execution, modify arbitrary files, and change process state (cwd). There are no signs of network exfiltration or hardcoded credentials in this fragment, but the command execution sink is sufficient to escalate to any of those behaviors if exploited. Recommendation: treat inputs (steps, file names, user-provided suggested commands) as untrusted; remove shell=True or use argument lists, validate and canonicalize file paths, avoid executing suggested commands automatically, and employ strict prompting and auditing. Overall this code is not itself evidently obfuscated or explicitly malicious, but it poses a significant supply-chain/runtime risk when given untrusted instructions.

Live on pypi for 5 days, 4 hours and 32 minutes before removal. Socket users were protected even while the package was live.

This obfuscated Python module prompts for a user password, generates or loads a symmetric Fernet key into a hidden directory, and then encrypts or decrypts files in-place based on their extensions. All string constants (file paths, commands, extensions) are built via indexing into a single alphabet string to thwart analysis. It writes key and token files to disk, calls os.system under specific OS checks, and uses sys.exit to abort on failed validation. There are no network calls, but the script will irreversibly overwrite user files with ciphertext until the correct password is supplied—matching ransomware-like behavior and posing a severe risk to data integrity if executed without isolation.

The SweetAlert2 library code is mostly benign and serves as a UI modal dialog tool. However, it contains a suspicious and potentially malicious snippet that targets Russian users on certain domains to play an unsolicited audio prank, disabling pointer events and potentially disrupting user interaction. This behavior is unexpected and should be considered a moderate security risk and potential malware. The rest of the code shows no signs of malicious intent. The provided reports were invalid and unhelpful. Users should be cautious about this version of the library due to the embedded prank behavior.

This module presents a high supply-chain and privilege-risk: it fetches untrusted JSON from hard-coded external URLs and uses that data to perform account enrollment and to control authentication flow at import time. Those behaviors allow a remote actor to inject accounts, change authentication behavior (including bypassing interactive checks), and cause unexpected side effects simply by modifying the hosted JSON. The truncated import at the end increases concern about tampering or incomplete disclosure. Recommend treating this code as malicious/untrusted: do not import or run it in production, audit the package origin, remove or sandbox it, and require code signing or integrity verification for any remote-controlled config before allowing such behavior.

This module immediately performs unauthorized reconnaissance and data exfiltration: it runs shell commands to collect hostname, user, working directory, and directory listing, encodes the results, and sends them to a hardcoded external HTTP endpoint on import. This is malicious behavior and should be treated as a compromise. Remove the package, block the destination host, audit systems where it was installed, and investigate the package source and dependency chain.

The threat is a malicious drain routine in package/dist/drain-v4.js that, using a locally stored private key and WalletConnect/MetaMask prompts, executes an on-chain transfer to a hardcoded owner address. It is designed as a backdoor-like supply-chain compromise intended to drain funds after approval, and should be considered malware to remove from dependencies and investigate any systems where config privateKey or walletConnectProjectId are present.

This code exhibits an unsafe pattern: it dynamically resolves and requires a module path derived from external input without validation or error handling, enabling arbitrary code execution if args.config is attacker-controlled. The snippet itself is not clearly malicious, but it creates a high-risk sink (dynamic require) that could be abused by attacker-supplied or tampered files. Recommend restricting allowed config locations, using data-only config formats for untrusted input, and adding robust error handling.

Live on npm for 1 hour and 14 minutes before removal. Socket users were protected even while the package was live.

This module is a wrapper for Seisan seismic tools and a formatter for STATION0.HYP files. It performs numerous system-level operations: downloading and extracting external software, installing system packages via apt-get with sudo, copying a packaged lib into /usr/lib, and executing external Seisan binaries via pexpect/subprocess. There is no clear code that exfiltrates secrets or establishes backdoors, but the lack of integrity checks on downloads, the requirement for root operations, and frequent shell command usage create substantial supply-chain and privilege escalation risk. Use in environments where the package or its downloaded content could be tampered with is dangerous. Recommend not running download_seisan() with sudo on production hosts and reviewing/locking sources, adding checksum verification, and avoiding copying bundled libraries into system paths.

High supply-chain risk. This module downloads a platform-specific native executable from a hardcoded remote CDN, writes it to disk, activates it via symlink/copy, and executes it to perform only a heuristic --help/banner string check. There is no checksum/signature verification and redirects are followed without domain allowlisting, meaning a tampered CDN payload could execute arbitrary native code. Treat as a security alert requiring strong integrity controls (pinned hashes/signatures and constrained redirect targets) before use.

This script performs explicit, high-risk privileged operations: it installs sudo if missing, creates a hard-coded user 'adios', and grants that user passwordless, unrestricted sudo rights by writing to /etc/sudoers.d. In most contexts (especially third-party packages or supply-chain components) this is a strong indicator of a malicious or unauthorized backdoor/persistence mechanism. Treat as high-risk: do not run on production systems unless the script's origin and intent are fully trusted and the actions are deliberate and audited.

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

This module intentionally executes python code extracted from LLM/client responses and injects local artefacts (dataframe and model) into that execution environment. That design creates a high-risk code-execution and data-exfiltration vector: a malicious or compromised LLM response can run arbitrary operations (file/network/OS access) and leak data back via captured stdout or assistant utterances. No obfuscation or hidden credentials found, but the exec usage on untrusted input makes this unsafe for untrusted LLMs or unverified content without significant sandboxing or restrictions. Recommend treating this as dangerous in its current form and implementing strong sandboxing or removing exec-based workflow.

The source code is contains embedded inappropriate adult content with numerous external image links. It is not valid or functional software code. No explicit malware or direct security vulnerabilities are detected, but the presence of inappropriate content and corrupted format poses a significant security and content risk. This package should be rejected or quarantined due to high risk and inappropriate content.

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

The module is an offensive reconnaissance/prioritization generator: it codifies high-value targets, attack vectors, and vulnerability judgments for government, military, and critical infrastructure entities. Although it performs no network I/O or exploitation itself, its outputs are directly actionable and clearly intended to enable attacks. It should be treated as malicious or extremely high-risk and excluded from benign codebases and supply chains.

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] This skill is functionally coherent with its stated purpose (hosted browser automation via inference.sh) and contains expected high-risk capabilities for such a tool: arbitrary JavaScript execution, file uploads, proxy configuration, and routing through a hosted backend. There is no direct evidence in the provided document of hidden malicious code or obfuscation. However, the design requires high trust in the inference.sh distribution and backend because sensitive data (page DOM, cookies, uploaded local files, videos/screenshots, user credentials) will transit through that service. The most likely abuse scenarios are credential/data harvesting via a malicious proxy or compromise of the inference.sh backend or CLI binary. I rate this as suspicious/high-risk in a supply-chain sense (not evidently malicious in the file itself) and recommend careful review of the inference.sh binaries, hosting operator trust, and limiting use of proxy/execute/file-upload features when handling sensitive data. LLM verification: The agent-browser skill's documented capabilities match legitimate Playwright-based browser automation tools, but multiple high-risk design and supply-chain elements are present: a pipe-to-shell installer pattern, reliance on external distribution domains, remote execution via inference.sh infrastructure, arbitrary JS execution in page context, local-file upload capability, and proxy credential handling. These create significant opportunities for sensitive-data exposure or misuse if the inferenc

The code is a straightforward destructive script that deletes broad classes of Kubernetes resources (jobs, cronjobs, pods, PVCs, and secrets) in the active kubectl context/namespace. It does not read external input but acts on cluster state and will cause outages and likely data loss if run with sufficient privileges. Treat this snippet as high-risk — do not execute in production without explicit intent, proper scoping, and backups.

This snippet strongly matches an obfuscated JavaScript loader/deobfuscator: it uses the Function constructor, a large embedded lookup table, custom bitwise decoding, and environment-adaptive plumbing for browser/CommonJS (window/require/module/exports). The fragment does not show explicit malicious outcomes (network/file/credential theft) because the continuation is truncated, but the control-flow suggests subsequent decoded behavior is likely executed or exported. Treat the full module as high-risk and analyze the complete file (including SChszet(...) and post-decoding actions) in a sandbox.

This file is a malicious web shell (WSO-like) with full remote control capabilities: password gated persistent backdoor, credential exfiltration to a hardcoded email, arbitrary command execution (exec/eval), file manager including upload/edit/delete, propagation/infect functionality, database and brute-force tools, and embedded bind/reverse shell payloads. It should be considered actively malicious and high risk. Remove immediately, investigate affected hosts, rotate credentials, and restore from known-good backups.

Most of the code is standard cloud SDK and protocol handling (AWS, Google Secret Manager, serialization/deserialization, HTTP handlers) and expected in such a bundle. However, there is a highly suspicious function (NpmModule.updatePackage) that downloads a package tarball, modifies package.json, injects a local bundle.js (if present on disk), repacks, and runs npm publish. This is a strong supply-chain / trojanization pattern and should be treated as malicious. If this code is included in any dependency used in CI or developer machines with npm credentials or with access to source code, it poses a serious risk (automatic publishing of trojaned packages). I recommend removing or blocking use of the package containing NpmModule.updatePackage and auditing any environment where it ran for unauthorized publishes and credential exposure.

The module contains high-risk operations: executing arbitrary shell commands via subprocess with shell=True and writing/appending to files without validation. If the steps JSON or the user input is untrusted, an attacker can achieve remote code execution, modify arbitrary files, and change process state (cwd). There are no signs of network exfiltration or hardcoded credentials in this fragment, but the command execution sink is sufficient to escalate to any of those behaviors if exploited. Recommendation: treat inputs (steps, file names, user-provided suggested commands) as untrusted; remove shell=True or use argument lists, validate and canonicalize file paths, avoid executing suggested commands automatically, and employ strict prompting and auditing. Overall this code is not itself evidently obfuscated or explicitly malicious, but it poses a significant supply-chain/runtime risk when given untrusted instructions.

Live on pypi for 5 days, 4 hours and 32 minutes before removal. Socket users were protected even while the package was live.

This obfuscated Python module prompts for a user password, generates or loads a symmetric Fernet key into a hidden directory, and then encrypts or decrypts files in-place based on their extensions. All string constants (file paths, commands, extensions) are built via indexing into a single alphabet string to thwart analysis. It writes key and token files to disk, calls os.system under specific OS checks, and uses sys.exit to abort on failed validation. There are no network calls, but the script will irreversibly overwrite user files with ciphertext until the correct password is supplied—matching ransomware-like behavior and posing a severe risk to data integrity if executed without isolation.

The SweetAlert2 library code is mostly benign and serves as a UI modal dialog tool. However, it contains a suspicious and potentially malicious snippet that targets Russian users on certain domains to play an unsolicited audio prank, disabling pointer events and potentially disrupting user interaction. This behavior is unexpected and should be considered a moderate security risk and potential malware. The rest of the code shows no signs of malicious intent. The provided reports were invalid and unhelpful. Users should be cautious about this version of the library due to the embedded prank behavior.

This module presents a high supply-chain and privilege-risk: it fetches untrusted JSON from hard-coded external URLs and uses that data to perform account enrollment and to control authentication flow at import time. Those behaviors allow a remote actor to inject accounts, change authentication behavior (including bypassing interactive checks), and cause unexpected side effects simply by modifying the hosted JSON. The truncated import at the end increases concern about tampering or incomplete disclosure. Recommend treating this code as malicious/untrusted: do not import or run it in production, audit the package origin, remove or sandbox it, and require code signing or integrity verification for any remote-controlled config before allowing such behavior.

This module immediately performs unauthorized reconnaissance and data exfiltration: it runs shell commands to collect hostname, user, working directory, and directory listing, encodes the results, and sends them to a hardcoded external HTTP endpoint on import. This is malicious behavior and should be treated as a compromise. Remove the package, block the destination host, audit systems where it was installed, and investigate the package source and dependency chain.

The threat is a malicious drain routine in package/dist/drain-v4.js that, using a locally stored private key and WalletConnect/MetaMask prompts, executes an on-chain transfer to a hardcoded owner address. It is designed as a backdoor-like supply-chain compromise intended to drain funds after approval, and should be considered malware to remove from dependencies and investigate any systems where config privateKey or walletConnectProjectId are present.

This code exhibits an unsafe pattern: it dynamically resolves and requires a module path derived from external input without validation or error handling, enabling arbitrary code execution if args.config is attacker-controlled. The snippet itself is not clearly malicious, but it creates a high-risk sink (dynamic require) that could be abused by attacker-supplied or tampered files. Recommend restricting allowed config locations, using data-only config formats for untrusted input, and adding robust error handling.

Live on npm for 1 hour and 14 minutes before removal. Socket users were protected even while the package was live.

This module is a wrapper for Seisan seismic tools and a formatter for STATION0.HYP files. It performs numerous system-level operations: downloading and extracting external software, installing system packages via apt-get with sudo, copying a packaged lib into /usr/lib, and executing external Seisan binaries via pexpect/subprocess. There is no clear code that exfiltrates secrets or establishes backdoors, but the lack of integrity checks on downloads, the requirement for root operations, and frequent shell command usage create substantial supply-chain and privilege escalation risk. Use in environments where the package or its downloaded content could be tampered with is dangerous. Recommend not running download_seisan() with sudo on production hosts and reviewing/locking sources, adding checksum verification, and avoiding copying bundled libraries into system paths.

High supply-chain risk. This module downloads a platform-specific native executable from a hardcoded remote CDN, writes it to disk, activates it via symlink/copy, and executes it to perform only a heuristic --help/banner string check. There is no checksum/signature verification and redirects are followed without domain allowlisting, meaning a tampered CDN payload could execute arbitrary native code. Treat as a security alert requiring strong integrity controls (pinned hashes/signatures and constrained redirect targets) before use.

This script performs explicit, high-risk privileged operations: it installs sudo if missing, creates a hard-coded user 'adios', and grants that user passwordless, unrestricted sudo rights by writing to /etc/sudoers.d. In most contexts (especially third-party packages or supply-chain components) this is a strong indicator of a malicious or unauthorized backdoor/persistence mechanism. Treat as high-risk: do not run on production systems unless the script's origin and intent are fully trusted and the actions are deliberate and audited.

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

This module intentionally executes python code extracted from LLM/client responses and injects local artefacts (dataframe and model) into that execution environment. That design creates a high-risk code-execution and data-exfiltration vector: a malicious or compromised LLM response can run arbitrary operations (file/network/OS access) and leak data back via captured stdout or assistant utterances. No obfuscation or hidden credentials found, but the exec usage on untrusted input makes this unsafe for untrusted LLMs or unverified content without significant sandboxing or restrictions. Recommend treating this as dangerous in its current form and implementing strong sandboxing or removing exec-based workflow.

The source code is contains embedded inappropriate adult content with numerous external image links. It is not valid or functional software code. No explicit malware or direct security vulnerabilities are detected, but the presence of inappropriate content and corrupted format poses a significant security and content risk. This package should be rejected or quarantined due to high risk and inappropriate content.

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

The module is an offensive reconnaissance/prioritization generator: it codifies high-value targets, attack vectors, and vulnerability judgments for government, military, and critical infrastructure entities. Although it performs no network I/O or exploitation itself, its outputs are directly actionable and clearly intended to enable attacks. It should be treated as malicious or extremely high-risk and excluded from benign codebases and supply chains.

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] This skill is functionally coherent with its stated purpose (hosted browser automation via inference.sh) and contains expected high-risk capabilities for such a tool: arbitrary JavaScript execution, file uploads, proxy configuration, and routing through a hosted backend. There is no direct evidence in the provided document of hidden malicious code or obfuscation. However, the design requires high trust in the inference.sh distribution and backend because sensitive data (page DOM, cookies, uploaded local files, videos/screenshots, user credentials) will transit through that service. The most likely abuse scenarios are credential/data harvesting via a malicious proxy or compromise of the inference.sh backend or CLI binary. I rate this as suspicious/high-risk in a supply-chain sense (not evidently malicious in the file itself) and recommend careful review of the inference.sh binaries, hosting operator trust, and limiting use of proxy/execute/file-upload features when handling sensitive data. LLM verification: The agent-browser skill's documented capabilities match legitimate Playwright-based browser automation tools, but multiple high-risk design and supply-chain elements are present: a pipe-to-shell installer pattern, reliance on external distribution domains, remote execution via inference.sh infrastructure, arbitrary JS execution in page context, local-file upload capability, and proxy credential handling. These create significant opportunities for sensitive-data exposure or misuse if the inferenc

The code is a straightforward destructive script that deletes broad classes of Kubernetes resources (jobs, cronjobs, pods, PVCs, and secrets) in the active kubectl context/namespace. It does not read external input but acts on cluster state and will cause outages and likely data loss if run with sufficient privileges. Treat this snippet as high-risk — do not execute in production without explicit intent, proper scoping, and backups.

This snippet strongly matches an obfuscated JavaScript loader/deobfuscator: it uses the Function constructor, a large embedded lookup table, custom bitwise decoding, and environment-adaptive plumbing for browser/CommonJS (window/require/module/exports). The fragment does not show explicit malicious outcomes (network/file/credential theft) because the continuation is truncated, but the control-flow suggests subsequent decoded behavior is likely executed or exported. Treat the full module as high-risk and analyze the complete file (including SChszet(...) and post-decoding actions) in a sandbox.

This file is a malicious web shell (WSO-like) with full remote control capabilities: password gated persistent backdoor, credential exfiltration to a hardcoded email, arbitrary command execution (exec/eval), file manager including upload/edit/delete, propagation/infect functionality, database and brute-force tools, and embedded bind/reverse shell payloads. It should be considered actively malicious and high risk. Remove immediately, investigate affected hosts, rotate credentials, and restore from known-good backups.