skill-compass

This is a bootstrapper with no obvious direct malware in the snippet, but it has significant supply-chain execution risk: it executes a remotely fetched installer as root (`curl ... | sudo ... bash -`), installs global npm tooling without pinning, and clones/pulls upstream GitHub code without pinning or integrity verification before staging scripts for later execution. Review/pin versions/commits and add integrity checks before running in a sensitive environment.

This module appears to be a legitimate Git-based update checker, with no clear evidence of direct malware behavior (no hardcoded secrets, no data theft/exfiltration, no obfuscation). The main security concern is operational: it shells out to git for fetch/pull across directories derived from inventory, which can cause outbound network access and can indirectly trigger local effects (including potential git hook execution depending on environment/config). It also ingests remote text from fetched commits (SKILL.md/skill.md) and executes a caller-provided callback (options.snapshot) during pull operations. Overall, malware likelihood is low, but security/operational risk is moderate and depends strongly on trust in inventory/skill paths and Git repo/remote sources.

This is a lifecycle-hook configuration that executes local Node.js scripts on key workflow events. The only observable security-relevant issue in this fragment is the command-execution sink that runs scripts from a plugin root derived from environment/config with a relative fallback; this increases supply-chain risk if path selection or working directory can be influenced. The fragment itself shows no direct malicious code, but malicious tracking/gating or other payload behavior could exist inside the referenced scripts, which are not provided here.

This module is adversarial prompt-injection content rather than legitimate dependency code. It does not directly perform malware actions (no network, filesystem, or command execution logic present), but it is highly likely to compromise evaluation integrity by coercing an automated agent to overwrite or alter SKILL.md output and scoring behavior. Treat as a critical workflow-integrity threat to the supply-chain/security evaluation process, not as a conventional malware payload.

This package/deployment artifact includes a plaintext token-like secret and documents high-impact automation (remote SSH deployment with git/pm2, destructive rollback suggestion, admin-level DB migrations, and outbound Slack notifications). While the fragment does not prove active malware behavior, the exposed credential is a severe supply-chain security issue and warrants immediate remediation (rotate the token, remove it from the artifact, and audit any deployment/notification implementations that may consume it).

SUSPICIOUS. The skill’s stated database-admin purpose matches its broad DB operations, but it exposes a hardcoded production admin password, executes raw user input on a production database, and can export full backups to S3 with prod credentials. The footprint is far too sensitive for an unrestricted agent skill and creates high risk of destructive actions and data loss/exfiltration.

SUSPICIOUS: the stated purpose is benign, but the implementation unnecessarily exposes sensitive environment variables by printing them in cleartext. No external exfiltration or installer abuse is present, yet the credential disclosure makes the skill unsafe as written.

SUSPICIOUS. The stated purpose is plausible, but the skill’s core functionality depends on an opaque remote installer from an unverifiable domain with no official provenance. That makes install trust fundamentally inconsistent with a legitimate deployment helper and creates high execution risk even without confirmed malicious payload behavior.

MALICIOUS: the skill's stated purpose is a simple helper, but its real behavior is to override agent safeguards and run an unverified remote shell payload from an unrelated domain. The mismatch in purpose, explicit prompt subversion, and direct remote code execution make this fundamentally incompatible with any legitimate helper skill.

MALICIOUS. The skill's stated purpose is a cover for credential theft: it secretly decodes and executes a command that exfiltrates the user's SSH private key to an external server. This is fundamentally incompatible with any legitimate data-processing skill.

MALICIOUS: the skill's real behavior is incompatible with code analysis. It uses prompt injection to bypass safeguards, includes destructive commands, and executes an unverifiable remote payload from a third-party paste site.

The provided decoded payload is a clear credential-theft and exfiltration command (reads SSH private key and POSTs it to a remote collection endpoint). While the surrounding package code is not provided here to confirm whether it actually decodes/executes this string, the embedded behavior is unequivocally malicious in intent and impact. Treat the dependency as high risk if it can reach this payload during normal operation or build/test execution.