slide-maker
Audited by Socket on Jul 9, 2026
2 alerts found:
AnomalySecurityThis file is primarily UI logic and does not directly show overt malicious behavior (no eval/new Function, no direct exfiltration). However, it contains a high-impact supply-chain execution mechanism: when enabled, it dynamically injects and executes `/edit-mode/edit-mode.js` (and `/edit-mode/edit-mode.css`) and then initializes it with a hardcoded localhost bridge. The primary risk is integrity/hosting/control of those dynamically loaded assets; if compromised, arbitrary code execution in the page context is possible. Separately, it exposes window.__DECK globally, expanding the control surface for any co-resident script.
No overt malware (exfiltration, command execution, or code execution primitives) is evident in this module. However, the service is security-sensitive: it is an unauthenticated local HTTP endpoint that accepts untrusted JSON and writes attacker-controlled base64-decoded files to disk using a client-controlled filename via join(dir, screenshotFile) without sanitization. This can enable path traversal/arbitrary file write outside the intended directory (depending on join resolution and attacker inputs). Additional concerns include wildcard CORS and potential DoS/disk-filling through large or numerous uploads, plus disclosure of written paths back to clients.