music-downloader

Warn

Audited by Socket on Jul 5, 2026

1 alert found:

Anomaly
AnomalyLOW
tools/apply_library_repair_moves.ps1

No direct evidence of classic malware behaviors (networking, credential theft, backdoor execution, encoded payloads) exists in this fragment; the script is a filesystem automation tool. The dominant security concern is supply-chain/safety risk from treating externally supplied JSON as authoritative and not enforcing that plan-specified $source paths are contained within the configured library root. As a result, a tampered plan could move (and thereby relocate/disrupt) MP3 content from arbitrary locations into the library, and it can perform recursive forced deletions of root-contained targets when deleteExisting is enabled. If the plan file and parameters are not tightly controlled (e.g., obtained securely and integrity-verified), the overall risk is moderate to high for unintended or unauthorized filesystem changes.

Confidence: 66%Severity: 62%
Audit Metadata
Analyzed At
Jul 5, 2026, 06:21 PM
Package URL
pkg:socket/skills-sh/Nymbo%2FMusic-Downloader-Skill%2Fmusic-downloader%2F@b71ab86ce27c8bf2f6f77c4cd3877ddb1e9bbe925024add80bcae6d3c0a99262
Security Audit — socket — music-downloader