skills/swannysec/robot-tools/starduster/Socket

starduster

Fail

Audited by Socket on Feb 18, 2026

1 alert found:

Malware

MalwareSKILL.md

HIGH

MalwareHIGH

SKILL.md

[Skill Scanner] Destructive bash command detected (rm -rf, chmod 777) All findings: [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [HIGH] autonomy_abuse: Skill instructions include directives to hide actions from user (BH009) [AITech 13.3] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] BENIGN: The skill’s capabilities are coherent with its stated purpose, with layered defenses and clearly defined data flows that isolate untrusted content, and with access patterns (gh CLI, local write to Obsidian vault) that are appropriate for a GitHub stars to Obsidian catalog tool. No malicious behavior is evident in the described workflow; however, the architecture’s complexity warrants testing to ensure the sandbox boundaries are enforced in practice. LLM verification: This skill's stated purpose aligns with its capabilities and the use of gh/jq/Bash is appropriate. However there are meaningful residual risks: the synthesis sub-agent retains read access to arbitrary local files and the skill relies on procedural rules (must invoke sub-agent as Explore, must not Read session temp files) that cannot be fully enforced by the documented allowed-tools. If an attacker can influence which file paths are passed to the sub-agent (via crafted repo metadata or a platform

Confidence: 95%Severity: 90%

Audit Metadata

Analyzed At

Feb 18, 2026, 02:37 AM

Package URL

pkg:socket/skills-sh/swannysec%2Frobot-tools%2Fstarduster%2F@8792ef60062b298079604e778398dda9cc0f136d