skills/viktor-ferenczi/skills/busybox-on-windows/Socket

busybox-on-windows

Fail

Audited by Socket on Feb 21, 2026

1 alert found:

Malware

MalwareSKILL.md

HIGH

MalwareHIGH

SKILL.md

[Skill Scanner] URL pointing to executable file detected All findings: [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [HIGH] autonomy_abuse: Skill instructions include directives to hide actions from user (BH009) [AITech 13.3] [HIGH] command_injection: PowerShell execution detected (CI005) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] The instructions are functionally legitimate for obtaining and using BusyBox on Windows, but they present a non-trivial supply-chain risk because they direct users to download and execute a binary from a third-party host (frippery.org) without any integrity or authenticity verification. There are no explicit malicious indicators in the text itself, but the download-and-execute pattern warrants caution: verify artifacts (checksums/signatures), obtain binaries from official or trusted sources, scan and run in isolated environments, and avoid elevated execution unless necessary. LLM verification: The SKILL.md is a benign instructional document to install and run BusyBox on Windows. The document itself contains no active malicious code, but it instructs users to download and execute binaries from a third-party site without integrity checks and suppresses download feedback. That download-and-execute pattern is the primary supply-chain risk: the fetched binary could be malicious or tampered with. Mitigations: add cryptographic hashes/signatures, prefer official/packaged distribution channel

Confidence: 98%Severity: 90%

Audit Metadata

Analyzed At

Feb 21, 2026, 02:52 PM

Package URL

pkg:socket/skills-sh/viktor-ferenczi%2Fskills%2Fbusybox-on-windows%2F@d1591726a2fec0b3008e15da72f90466f62d946f