music-search

Warn

Audited by Socket on Jun 23, 2026

2 alerts found:

Anomalyx2
AnomalyLOW
scripts/music-search.js

No clear evidence of intentional malware/backdoors is present in this JavaScript wrapper. However, the module carries meaningful security and supply-chain risk: it can execute a Python interpreter path controlled by an environment variable, and it may install Python dependencies at runtime via `pip install -r requirements.txt` when the venv is missing. Additionally, resolve mode performs server-side fetching of a user-provided URL with redirect following, which can enable SSRF-like risks depending on network egress controls. Overall, treat as a high-impact dependency-execution/scraping tool that warrants hardening (pin/verify Python deps, restrict MUSIC_SEARCH_PYTHON_PATH usage, and constrain outbound URL fetching).

Confidence: 66%Severity: 65%
AnomalyLOW
SKILL.md

该技能目的与核心能力基本一致:搜索并聚合公开音乐网盘链接。但它依赖未固定的第三方抓取库、未公开的本地安装脚本,以及未验证的 web-search 技能,带来中等供应链与间接提示注入风险。未见明确恶意外传或凭据窃取证据,因此更像高可疑/中风险技能而非确认恶意。

Confidence: 81%Severity: 64%
Audit Metadata
Analyzed At
Jun 23, 2026, 06:07 AM
Package URL
pkg:socket/skills-sh/storyclaw-official%2Fstoryclaw-assistant%2Fmusic-search%2F@f3ac6287aed46326a87f09c319f8bcaf3858c2fde28f51784c3634a07bbf7c4a
Security Audit — socket — music-search