appicons
Warn
Audited by Socket on Jun 28, 2026
1 alert found:
AnomalyAnomalyscripts/favicon-gen.sh
LOWAnomalyLOW
scripts/favicon-gen.sh
No direct evidence of intentional malware in the script itself (no credential theft, backdoor, or command execution of untrusted data). However, it introduces meaningful supply-chain risk by sending untrusted content to a configurable external API and then blindly base64-decoding and extracting the API’s returned zip into the project directory using unzip with overwrite, without validating zip entry paths or restricting expected filenames. If the API or --api/FAVICON_API endpoint is compromised or malicious, the primary impact is malicious or unexpected file placement/overwrites within $OUT.
Confidence: 62%Severity: 66%
Audit Metadata