omni-x402

[Skill Scanner] Download or install from free hosting/deployment platform detected All findings: [HIGH] supply_chain: Download or install from free hosting/deployment platform detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: Download or install from free hosting/deployment platform detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: Download or install from free hosting/deployment platform detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: Download or install from free hosting/deployment platform detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: Download or install from free hosting/deployment platform detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: Download or install from free hosting/deployment platform detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: Download or install from free hosting/deployment platform detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: Download or install from free hosting/deployment platform detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: Download or install from free hosting/deployment platform detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: Download or install from free hosting/deployment platform detected (SC007) [AITech 9.1.4] No explicit malware or obfuscated malicious code is present in the provided skill documentation. The main security concerns are supply-chain and privacy: the workflow requires running a remote npm CLI via npx (runtime code execution risk) and proxies all queries and responses through a third-party backend (omniapi-production-7de2.up.railway.app), which can observe requests, returned social data, and payment metadata. If you trust the provider and the npm package publisher, the service appears coherent with its purpose. If you require stronger guarantees, audit the awal npm package code and the omniapi backend, and review their data-retention/privacy policies before use. LLM verification: No explicit malware is present in the provided SKILL.md content. The primary risk is a supply-chain/trust risk: all queries and payments are routed through two third-party services (the 'awal' CLI and the omniapi-production-7de2.up.railway.app host). That design can lead to data collection, request logging, or unauthorized monetization of queries. Because the skill lacks local code to inspect and relies on external services for both authentication and data retrieval, treat it as SUSPICIOUS from