iblai-vibe-design
Warn
Audited by Socket on Jul 7, 2026
1 alert found:
SecuritySecurityscripts/live-browser.js
MEDIUMSecurityMEDIUM
scripts/live-browser.js
The fragment is not obviously obfuscated and does not show direct eval/backdoor primitives, but it has high-impact behaviors: it captures DOM content (including inlined fetched fonts) into an image and uploads annotation images to a local server using a TOKEN in the URL. It also dynamically injects scripts from localhost and uses wildcard postMessage plus innerHTML with server-provided HTML/markdown, creating potential privacy/exfiltration and XSS risks if the local server content or endpoints are compromised. Overall, treat as security-sensitive and review with supply-chain and runtime trust boundaries in mind.
Confidence: 61%Severity: 74%
Audit Metadata