qiaomu-design

Warn

Audited by Socket on Jul 7, 2026

1 alert found:

Anomaly
AnomalyLOW
scripts/qiaomu-design-preview-server.mjs

The server-side fragment is primarily a local static-file + JSON API preview service that persists POSTed data to a local JSON file and logs the full record. The key security uncertainty is the HTML bridge injection mechanism: because injectBridge() inserts an external bridgeScript into served .html content and the bridgeScript content/behavior is not shown, client-side tracking/exfiltration or other malicious browser actions cannot be ruled out. Additionally, the module provides an OS process-launch capability (openUrl) and stores/logs attacker-influenced data without sanitization or schema validation. No overt server-side malware behavior is evident in the provided fragment, but overall risk is moderate due to persistent data handling, logging, and active HTML/script injection.

Confidence: 45%Severity: 58%
Audit Metadata
Analyzed At
Jul 7, 2026, 02:06 AM
Package URL
pkg:socket/skills-sh/joeseesun%2Fqiaomu-design-advisor%2Fqiaomu-design%2F@7b4a74257753837eaeadcf92847339f86639933c
Security Audit — socket — qiaomu-design