using-webctl

SUSPICIOUS: the skill's overall goal is coherent, and the base webctl install path is legitimate, but it uses an unusual local monkeypatch that intercepts authenticated proxy traffic and forwards proxy credentials through custom, unreviewed code. No clear third-party exfiltration is shown, so this is not confirmed malware, but the credential-handling patch and browser automation over untrusted web content make it a medium-risk skill.

This fragment is a high-impact installer/patcher that (a) installs a dependency at runtime with elevated pip behavior (--break-system-packages) and (b) overwrites and patches installed webctl package code in /usr/local/lib/python3.12/dist-packages, including authentication/session-related modules. No explicit malware actions are visible in the snippet (no exfiltration/C2 shown), but the supply-chain/tampering pattern is significant. Verify the provenance and contents of scripts/auth_proxy.py, and confirm the exact session_manager patch logic (old_block/new_block), since the fragment appears incomplete.