open-code-review
Warn
Audited by Socket on Jul 2, 2026
1 alert found:
AnomalyAnomalyscripts/install.sh
LOWAnomalyLOW
scripts/install.sh
This wrapper itself contains no obvious credential theft or stealth logic, but it performs multiple high-impact supply-chain actions. The release mode directly executes a remotely fetched GitHub raw script via sh -c without pinning or signature/checksum verification in this wrapper. The source mode clones remote code and runs make build, and the npm mode installs a globally-scoped package whose install scripts can execute. Overall risk is driven by upstream integrity and the lack of cryptographic verification/pinning in the wrapper, so it should be reviewed and ideally constrained (e.g., pin to immutable commits/tags and verify hashes/signatures) before use in sensitive environments.
Confidence: 75%Severity: 63%
Audit Metadata