heretic
Warn
Audited by Socket on Jul 1, 2026
1 alert found:
AnomalyAnomalyscripts/install.sh
LOWAnomalyLOW
scripts/install.sh
No strong evidence of intentional malware or hidden payloads in this installer script. The primary security concerns are (1) the use of `eval "$*"` in the command execution helper, which can amplify impact if environment variables are manipulated, and (2) supply-chain redirection/fetch risk via configurable UPSTREAM_URL/REF (UV=1) and unpinned/unverified installation behavior in the non-UV path (pip install -U). This warrants careful use in controlled environments and should ideally replace eval and add integrity/pinning/verification controls.
Confidence: 72%Severity: 52%
Audit Metadata