open-code-review

Warn

Audited by Socket on Jul 2, 2026

1 alert found:

Anomaly
AnomalyLOW
scripts/install.sh

This wrapper itself contains no obvious credential theft or stealth logic, but it performs multiple high-impact supply-chain actions. The release mode directly executes a remotely fetched GitHub raw script via sh -c without pinning or signature/checksum verification in this wrapper. The source mode clones remote code and runs make build, and the npm mode installs a globally-scoped package whose install scripts can execute. Overall risk is driven by upstream integrity and the lack of cryptographic verification/pinning in the wrapper, so it should be reviewed and ideally constrained (e.g., pin to immutable commits/tags and verify hashes/signatures) before use in sensitive environments.

Confidence: 75%Severity: 63%
Audit Metadata
Analyzed At
Jul 2, 2026, 07:30 AM
Package URL
pkg:socket/skills-sh/akillness%2Fjeo-skills%2Fopen-code-review%2F@0c561dc3b4c647d3d2cf09c4c6aa97b8eba166effa8984b2e88cc96c4d9bfa66
Security Audit — socket — open-code-review