deploy
Audited by Socket on Jul 8, 2026
2 alerts found:
Anomalyx2This code does not show clear malicious payload behavior (no explicit exfiltration/credential theft/system modification), but it contains a high-impact supply-chain execution mechanism: it reads per-block JavaScript from a configurable local blocks directory and executes it in the Playwright browser via addScriptTag, then invokes exported decorators to transform DOM before performing diffs. It also fetches a user-provided remote prototype URL, allowing arbitrary remote scripts to run in the automated browser session. The practical risk is driven by trust in local `${blocksDir}/${name}/${name}.js` and the proto URL; compromised assets could lead to arbitrary code execution in the harness environment and unreliable or tampered comparison results.
This module is a Playwright-based renderer that reads HTML and plugin-like “block” JavaScript/CSS from paths derived from CLI arguments, injects the HTML into the page, injects the block JS verbatim as scripts, and then executes `decorate` functions in the page context before taking a screenshot. The behavior enables arbitrary code execution (via block JS files) and DOM injection (via HTML), and it uses unvalidated file paths (argv) for filesystem reads/writes. There is no direct evidence of malicious payloads in this snippet, but the mechanism is a strong supply-chain/integrity risk and could be weaponized if block files or inputs are tampered with.