music-search
Audited by Socket on Jun 23, 2026
2 alerts found:
Anomalyx2No clear evidence of intentional malware/backdoors is present in this JavaScript wrapper. However, the module carries meaningful security and supply-chain risk: it can execute a Python interpreter path controlled by an environment variable, and it may install Python dependencies at runtime via `pip install -r requirements.txt` when the venv is missing. Additionally, resolve mode performs server-side fetching of a user-provided URL with redirect following, which can enable SSRF-like risks depending on network egress controls. Overall, treat as a high-impact dependency-execution/scraping tool that warrants hardening (pin/verify Python deps, restrict MUSIC_SEARCH_PYTHON_PATH usage, and constrain outbound URL fetching).
该技能目的与核心能力基本一致:搜索并聚合公开音乐网盘链接。但它依赖未固定的第三方抓取库、未公开的本地安装脚本,以及未验证的 web-search 技能,带来中等供应链与间接提示注入风险。未见明确恶意外传或凭据窃取证据,因此更像高可疑/中风险技能而非确认恶意。