Skills
skills/hacklyc/myagents_skills/download-anything/Socket

download-anything

Warn

Audited by Socket on Feb 22, 2026

1 alert found:

Security
SecurityMEDIUM
SKILL.md

[Skill Scanner] Installation of third-party script detected All findings: [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] The repository/document fragment is a functional and effective how-to for mass discovery and downloading of diverse digital resources, but it encourages high-risk behaviors: using piracy-prone mirror ecosystems, unpinned installs of CLI tools, executing downloads from unvetted domains, participating in P2P networks, and implicitly accessing local cookie stores. I found no explicit obfuscated code or direct evidence of embedded malware in the provided text, but the operational guidance significantly increases the probability of encountering malware or leaking sensitive data when followed. Recommend exercising caution: do not auto-run scripts without inspection, pin and verify installer packages, avoid or carefully vet mirror domains, do not allow cookie access unless necessary and reviewed, verify downloads with checksums/signatures, and sandbox or scan downloaded executables. LLM verification: This skill is a high‑risk downloader orchestration guide rather than malicious code. It legitimately maps tools to download tasks, but it encourages patterns with substantial supply-chain and operational risk: installing multiple unpinned third‑party CLIs, downloading from untrusted/mirror domains, auto-using local cookies (possible credential exposure), and torrent seeding. There is no direct evidence of embedded malware or obfuscation in the SKILL.md itself, but the workflows it recommends amp

Confidence: 75%Severity: 75%
Audit Metadata
Analyzed At
Feb 22, 2026, 08:01 AM
Package URL
pkg:socket/skills-sh/hAcKlyc%2FMyAgents_skills%2Fdownload-anything%2F@3c75de98d3b6e16f5d53fae6cd57f9b881baaec8