skills/chanjing-ai/chan-skills/chanjing-tts/Socket

chanjing-tts

Warn

Audited by Socket on Mar 29, 2026

1 alert found:

Anomaly

Anomalyscripts/poll_task

LOW

AnomalyLOW

scripts/poll_task

This fragment functions as a legitimate polling client for a TTS/audio task and prints the resulting audio URL returned by a remote API. No direct malicious behaviors are evident in the shown code (no execution of code from responses, no subprocesses, no filesystem changes, no obvious data theft). The main security concerns are (1) supply-chain/local-import risk from modifying sys.path to import _auth (token handling is opaque and could be malicious in that module), and (2) environment-controlled API_BASE that could redirect requests (including access_token and task_id) to an unintended destination if CHANJING_API_BASE is compromised.

Confidence: 70%Severity: 50%

Audit Metadata

Analyzed At

Mar 29, 2026, 07:37 AM

Package URL

pkg:socket/skills-sh/chanjing-ai%2Fchan-skills%2Fchanjing-tts%2F@4b6dee362af377c5e056d7a5c87df30b8e32c8d7