deploy

Warn

Audited by Socket on Jul 8, 2026

2 alerts found:

Anomalyx2
AnomalyLOW
scripts/block-roundtrip.mjs

This code does not show clear malicious payload behavior (no explicit exfiltration/credential theft/system modification), but it contains a high-impact supply-chain execution mechanism: it reads per-block JavaScript from a configurable local blocks directory and executes it in the Playwright browser via addScriptTag, then invokes exported decorators to transform DOM before performing diffs. It also fetches a user-provided remote prototype URL, allowing arbitrary remote scripts to run in the automated browser session. The practical risk is driven by trust in local `${blocksDir}/${name}/${name}.js` and the proto URL; compromised assets could lead to arbitrary code execution in the harness environment and unreliable or tampered comparison results.

Confidence: 70%Severity: 65%
AnomalyLOW
scripts/render-harness.mjs

This module is a Playwright-based renderer that reads HTML and plugin-like “block” JavaScript/CSS from paths derived from CLI arguments, injects the HTML into the page, injects the block JS verbatim as scripts, and then executes `decorate` functions in the page context before taking a screenshot. The behavior enables arbitrary code execution (via block JS files) and DOM injection (via HTML), and it uses unvalidated file paths (argv) for filesystem reads/writes. There is no direct evidence of malicious payloads in this snippet, but the mechanism is a strong supply-chain/integrity risk and could be weaponized if block files or inputs are tampered with.

Confidence: 68%Severity: 62%
Audit Metadata
Analyzed At
Jul 8, 2026, 06:42 AM
Package URL
pkg:socket/skills-sh/adobe%2Fskills%2Fdeploy%2F@6693bf8974f4730dd8e9d9f69f6a520c0d63577b50bcb1f129f15b8ed46aeb78
Security Audit — socket — deploy