qiaomu-design
Audited by Socket on Jul 7, 2026
1 alert found:
AnomalyThe server-side fragment is primarily a local static-file + JSON API preview service that persists POSTed data to a local JSON file and logs the full record. The key security uncertainty is the HTML bridge injection mechanism: because injectBridge() inserts an external bridgeScript into served .html content and the bridgeScript content/behavior is not shown, client-side tracking/exfiltration or other malicious browser actions cannot be ruled out. Additionally, the module provides an OS process-launch capability (openUrl) and stores/logs attacker-influenced data without sanitization or schema validation. No overt server-side malware behavior is evident in the provided fragment, but overall risk is moderate due to persistent data handling, logging, and active HTML/script injection.