NYC

ntm

Warn

Audited by Socket on Feb 15, 2026

1 alert found:

Anomaly
AnomalyLOW
SKILL.md

This SKILL.md describes a powerful tmux-based multi-agent orchestration tool whose documented features broadly match the stated purpose. However, several design choices raise supply-chain and local-execution risks: the recommended curl|bash install from a personal GitHub repo, command_hook support for arbitrary shell commands, robot-mode features that export files and session snapshots, and example configs that explicitly recommend bypassing safety/sandboxing for agent CLIs. These features are plausible for this type of tool but are high-risk and could be abused for credential or source-code exfiltration or to execute arbitrary commands if the install source or hooks are compromised or misconfigured. I rate this as SUSPICIOUS — not proven malware, but significant security risk that requires hardened install practices, strong defaults (no dangerous flags, no auto-execution of hooks, explicit opt-in for file exports), and clear documentation about what is sent to external endpoints.

Confidence: 70%Severity: 60%
Audit Metadata
Analyzed At
Feb 15, 2026, 08:39 PM
Package URL
pkg:socket/skills-sh/dicklesworthstone%2Fagent_flywheel_clawdbot_skills_and_integrations%2Fntm%2F@b189dcf92255a85217c6a49bbfaf4224ee051cf7