skills/allenai/asta-plugins/Workspace/Socket

Workspace

Warn

Audited by Socket on Apr 16, 2026

1 alert found:

Anomaly

Anomalyassets/devcontainer.json

LOW

AnomalyLOW

assets/devcontainer.json

No direct malicious code is visible in this configuration snippet. However, it creates a meaningful supply-chain risk by automatically running an unpinned npm package (`skills@latest`) via `npx --yes` during container creation and by using an unpinned container image tag (`...:latest`). Additionally, it injects ASTA_TOKEN into the container environment, which could amplify impact if any installed package/plugin is malicious. Recommended mitigations: pin the npm package and container image to exact versions/digests, verify integrity, and minimize/avoid passing sensitive tokens into build-time provisioning steps.

Confidence: 62%Severity: 63%

Audit Metadata

Analyzed At

Apr 16, 2026, 12:14 AM

Package URL

pkg:socket/skills-sh/allenai%2Fasta-plugins%2Fworkspace%2F@69c652cead4bf14a45f4681e1b09b135050e1633