typst-author

Fail

Audited by Socket on Jun 13, 2026

1 alert found:

Obfuscated File
Obfuscated FileHIGH
docs/reference/foundations/eval.md

This fragment documents an #eval primitive that executes arbitrary Typst code from a string with an injectable scope. The documentation alone contains no direct malicious code, but the API is intrinsically dangerous: untrusted `source` or a `scope` containing secrets can lead to arbitrary code execution, data exposure, or other side effects depending on the Typst runtime capabilities. Because no implementation or sandbox guarantees are provided, treat use of #eval as a high-risk operation and avoid passing untrusted input. If necessary, require a strong sandbox, capability restrictions, or an allowlist of safe operations and ensure sensitive data is never placed in `scope`.

Confidence: 90%
Audit Metadata
Analyzed At
Jun 13, 2026, 05:16 AM
Package URL
pkg:socket/skills-sh/jihe520%2FMathModelAgent%2Ftypst-author%2F@876e48a8becfac08c3aec5a002d8e487765283ce1dadfe7f83e877fae66e2725
Security Audit — socket — typst-author