skills/alsk1992/cloddsbot/plugins/Socket

plugins

Fail

Audited by Socket on Feb 20, 2026

1 alert found:

Malware

MalwareSKILL.md

HIGH

MalwareHIGH

SKILL.md

[Skill Scanner] URL pointing to executable file detected All findings: [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This document describes a standard plugin manager API with powerful plugin capabilities. The documentation itself is not malware, but the features (install-from-URL, broad permission model including exec/trading/memory, and lack of described sandboxing or verification) create significant supply-chain and runtime risk if the runtime does not enforce strict isolation, signing, and least-privilege controls. Treat plugins from untrusted sources as potentially malicious and implement signing, sandboxing, scoped permissions, safe extraction, and auditing before accepting installs. LLM verification: The skill documentation and API are consistent with a plugin manager, but they expose significant supply-chain risks: installing plugins from arbitrary URLs and executing plugin code in-process without described integrity checks or sandboxing can lead to remote code execution, credential exfiltration, and abuse of powerful permissions ('exec','trading','memory'). The material itself contains no obfuscation or hard-coded secrets and does not demonstrate active malicious payloads, but the describe

Confidence: 95%Severity: 90%

Audit Metadata

Analyzed At

Feb 20, 2026, 08:52 PM

Package URL

pkg:socket/skills-sh/alsk1992%2Fcloddsbot%2Fplugins%2F@9297ad54c9af74c3c1e396b6c7167b336ca00e37