appicons

Warn

Audited by Socket on Jun 28, 2026

1 alert found:

Anomaly
AnomalyLOW
scripts/favicon-gen.sh

No direct evidence of intentional malware in the script itself (no credential theft, backdoor, or command execution of untrusted data). However, it introduces meaningful supply-chain risk by sending untrusted content to a configurable external API and then blindly base64-decoding and extracting the API’s returned zip into the project directory using unzip with overwrite, without validating zip entry paths or restricting expected filenames. If the API or --api/FAVICON_API endpoint is compromised or malicious, the primary impact is malicious or unexpected file placement/overwrites within $OUT.

Confidence: 62%Severity: 66%
Audit Metadata
Analyzed At
Jun 28, 2026, 12:53 AM
Package URL
pkg:socket/skills-sh/drmrduck%2Fskills%2Fappicons%2F@6fe610210006fcab008ebb206825e407bfce07903ca78f2eac333c778e72fa9d