yanzi-extension-dev
Audited by Socket on Jun 18, 2026
1 alert found:
AnomalyNo direct malicious code is shown because this is an API reference. However, the described localhost service is a security-critical control plane: with access to the X-Yanzi-Token, an attacker could manage extensions (create/update/install/publish), trigger extension execution, alter storage, and force synchronization of extension storage to external WebDAV/Git providers. The security posture therefore depends heavily on the strength and protection of the local token, the binding/authorization model, and safety measures around extension execution and storage/sync handling. Review the actual server implementation for robust authz scoping, input validation, execution sandboxing, and safeguards that prevent unauthorized extension execution and unintended data propagation.