llm-wiki
Audited by Socket on Jul 7, 2026
2 alerts found:
SecurityAnomalyThe skill's purpose and permissions are coherent for an updater, but its trust model is weak: it pulls mutable code from GitHub and executes install.sh without pinning or verification. This is better classified as suspicious supply-chain risk than malware; no clear credential theft or exfiltration is present in the instructions shown.
The main security issue is design-level: the component fetches remote HTML text and injects it into an iframe via srcDoc while enabling script execution (sandbox="allow-scripts"). Although sandboxing reduces privileges compared to an unsandboxed iframe, it still permits the embedded artifact’s JavaScript to run. The only protection before rendering is a weak filename-extension check, with no sanitization or response-type/content validation. Review upstream trust boundaries (how getArtifactFileUrl is formed, whether artifact content is trusted/sanitized) and consider removing allow-scripts or sanitizing/isolating the HTML before rendering.