Skills
skills/aaaaqwq/claude-code-skills/bankr-signals/Socket

bankr-signals

Fail

Audited by Socket on Mar 1, 2026

1 alert found:

Malware
MalwareHIGH
SKILL.md

This skill's functionality is coherent with its stated purpose (publishing and consuming blockchain-verified trading signals). The principal security concerns stem from recommended use of a third-party signing service (bankr.bot) and storing/using an API key that grants signing/agent capabilities. Delegating signing to a remote provider concentrates impersonation risk: if the bankr.bot account, key, or service is compromised, attackers can publish forged signals or register providers on behalf of victims. Webhooks and automated heartbeat workflows are legitimate features but create exfiltration and automation risks if misused or if webhook endpoints are attacker-controlled. No obvious obfuscated code or direct download-execute supply-chain commands are present in the provided skill text. Overall, this is not confirmed malware, but it presents moderate supply-chain and credential-forwarding risk; operators should prefer local signing with least-privilege keys, secure storage of API keys (with restrictive permissions), review Bankr's Agent API scopes before use, and vet webhook endpoints.

Confidence: 95%Severity: 90%
Audit Metadata
Analyzed At
Mar 1, 2026, 07:44 PM
Package URL
pkg:socket/skills-sh/aaaaqwq%2Fclaude-code-skills%2Fbankr-signals%2F@49c865c9fbc45064ea36dd7037cbff477bec39a7