visual-companion

Warn

Audited by Socket on Jun 23, 2026

1 alert found:

Anomaly
AnomalyLOW
scripts/helper.js

This snippet is best characterized as a telemetry/interaction-bridge that collects user selections and form field values from the DOM and forwards them to server endpoints over WebSocket and HTTP fallback, including diagnostic logs and periodic heartbeats. There is no strong evidence of overt malware/backdoor primitives in the code shown; however, it presents meaningful security and privacy risks: token exposure due to ws:// plus token-in-query-string, potential DOM injection via innerHTML concatenation using DOM-derived values, and a server-driven reload control path. Review server-side authorization, data minimization, and ensure robust escaping/CSRF/auth expectations; change transport to wss:// and avoid inserting untrusted strings into innerHTML.

Confidence: 74%Severity: 67%
Audit Metadata
Analyzed At
Jun 23, 2026, 04:46 PM
Package URL
pkg:socket/skills-sh/mineru98%2Fskills-store%2Fvisual-companion%2F@3e88aaa676228dccdfa0449c27bb9a249c6eabb2d0c582c309042ac8508198e3
Security Audit — socket — visual-companion