teach-web-actions

Warn

Audited by Socket on Jul 8, 2026

1 alert found:

Anomaly
AnomalyLOW
scripts/run_variant.js

The snippet is a Playwright runner that dynamically loads and executes a caller-specified JavaScript module (variantPath) with full Node.js privileges, passing it a Playwright page object. While the wrapper contains no explicit malware or exfiltration logic itself, the dynamic require + execution creates an inherently high-impact arbitrary code execution risk if variantPath is not fully trusted. Caller-controlled outDir and persistent profile usage further expand potential impact through filesystem writes and retained browser state.

Confidence: 68%Severity: 55%
Audit Metadata
Analyzed At
Jul 8, 2026, 03:29 AM
Package URL
pkg:socket/skills-sh/puntorigen%2Fskills%2Fteach-web-actions%2F@1933b564ef35ce0e65ae42e2b4df9708968fb449fe15172d14e891ecc1e28a7f
Security Audit — socket — teach-web-actions