seo-audit

Fail

Audited by Socket on Jul 7, 2026

3 alerts found:

Obfuscated Filex2Anomaly
Obfuscated FileHIGH
src/reporters/html-reporter.ts

The fragment functions as a safe, structured HTML-report generator for SEO audits. It formats data into an interactive HTML report and persists it to disk. No malicious behavior or backdoors are identifiable in this code fragment. The main precaution is ensuring the filePath passed to writeHtmlReport is trusted or validated to prevent potential arbitrary file writes. Overall, the approach is sound with moderate risk tied to the sink when integrating into broader systems.

Confidence: 90%
Obfuscated FileHIGH
.mcp.json

This JSON is a configuration that will cause dynamic, remote package code execution by invoking `npx shadcn@latest mcp`. The file itself is not malicious, but it enables high-impact supply-chain risk because it fetches and runs the latest code from the npm registry without pinning or integrity checks. Recommend replacing `@latest` with a pinned, audited version (and ideally an integrity hash), executing such commands only in controlled/sandboxed environments, and adding monitoring and least-privilege controls to mitigate possible malicious package behavior.

Confidence: 90%
AnomalyLOW
electron/main/index.ts

No direct evidence of malicious code is present in this main-process fragment. The main security risk is structural/configuration-driven: it can load renderer content from an environment-controlled URL and it disables the renderer sandbox (sandbox: false), increasing the blast radius of any renderer/preload compromise. The actual risk level depends significantly on the unseen preload script and the audit/DB bridge handlers, which may create high-privilege IPC/DB surfaces.

Confidence: 60%Severity: 62%
Audit Metadata
Analyzed At
Jul 7, 2026, 10:45 AM
Package URL
pkg:socket/skills-sh/seo-skills%2Fseo-audit-skill%2Fseo-audit%2F@3dc3af304b601fc680d033b0e7129632c0e29567
Security Audit — socket — seo-audit