iblai-vibe-deslop
Audited by Socket on Jul 7, 2026
1 alert found:
SecurityThis codebase, as described, contains several high-impact security weaknesses that materially increase compromise likelihood: (1) insecure pickle deserialization for both a persisted retrieval index and knowledge-graph embedding blobs (direct RCE if artifacts/DB can be tampered with), (2) remote ML model loading with trust_remote_code=True (supply-chain remote code execution capability), and (3) an unauthenticated production endpoint that can inject/spoof events into arbitrary WebSocket sessions. Additional concurrency/DB issues and unbounded caches/pagination expand denial-of-service and integrity risks. While the evidence strongly indicates dangerous capabilities, it does not by itself prove intentional malware (e.g., data theft), so treat the package as high risk until the RCE primitives and authentication/control gaps are remediated.