dashiai-ppt

Warn

Audited by Socket on Jul 7, 2026

2 alerts found:

Anomalyx2
AnomalyLOW
project/assets/vendor/unicornstudio.umd.js

No definitive malicious payload (e.g., credential theft or explicit exfiltration) is evident in this fragment. However, the code contains a significant supply-chain/execution risk: it dynamically imports and executes an extension module from a URL influenced by runtime configuration fetched/parsed at load time. If an attacker can tamper with the scene configuration/DOM attributes or the referenced remote module/CDN, the imported module can run arbitrary JavaScript in the page context. Separately, the module loads remote fonts/media from configuration URLs, which can increase privacy and tracking/resource-abuse risk.

Confidence: 62%Severity: 66%
AnomalyLOW
project/src/components/themes/theme10/source/module-loader.js

No overt credential theft, persistence, or explicit exfiltration behavior is visible in this snippet alone. However, the code is a powerful runtime code-execution mechanism: it fetches remote JavaScript/JSX modules, transpiles them in-browser with Babel, rewrites dependency specifiers without integrity/allowlisting, and executes the result via dynamic import of generated Blob URLs. If an attacker can influence the data-entry attribute, the resolved module URL(s), or any fetched dependency contents/specifiers, this loader can enable arbitrary JavaScript execution in the browser. The primary risk is missing trust boundaries and integrity controls rather than obvious malicious payload logic in this fragment.

Confidence: 60%Severity: 65%
Audit Metadata
Analyzed At
Jul 7, 2026, 11:11 AM
Package URL
pkg:socket/skills-sh/chuspeeism%2FdashiAI-ppt-skill%2Fdashiai-ppt%2F@61656fbfd25a68f1a7ab600dcda93e27fc65a8a7
Security Audit — socket — dashiai-ppt