seo-audit
Audited by Socket on Jul 7, 2026
3 alerts found:
Obfuscated Filex2AnomalyThe fragment functions as a safe, structured HTML-report generator for SEO audits. It formats data into an interactive HTML report and persists it to disk. No malicious behavior or backdoors are identifiable in this code fragment. The main precaution is ensuring the filePath passed to writeHtmlReport is trusted or validated to prevent potential arbitrary file writes. Overall, the approach is sound with moderate risk tied to the sink when integrating into broader systems.
This JSON is a configuration that will cause dynamic, remote package code execution by invoking `npx shadcn@latest mcp`. The file itself is not malicious, but it enables high-impact supply-chain risk because it fetches and runs the latest code from the npm registry without pinning or integrity checks. Recommend replacing `@latest` with a pinned, audited version (and ideally an integrity hash), executing such commands only in controlled/sandboxed environments, and adding monitoring and least-privilege controls to mitigate possible malicious package behavior.
No direct evidence of malicious code is present in this main-process fragment. The main security risk is structural/configuration-driven: it can load renderer content from an environment-controlled URL and it disables the renderer sandbox (sandbox: false), increasing the blast radius of any renderer/preload compromise. The actual risk level depends significantly on the unseen preload script and the audit/DB bridge handlers, which may create high-privilege IPC/DB surfaces.