recordly

Warn

Audited by Socket on May 19, 2026

1 alert found:

Anomaly
AnomalyLOW
scripts/install_recordly.sh

No explicit malware indicators are present in the shell installer itself (no obvious exfiltration, backdoor, or credential-stealing logic). However, it has meaningful supply-chain risk because it clones/pulls an unpinned remote repository and then runs npm install and platform-specific build scripts that execute lifecycle/build code from unverified upstream content; it also clears macOS quarantine and sets execution permissions on whichever first matching artifacts it finds. Hardening should include pinning the repo to an immutable commit/tag, enforcing npm lockfile integrity (e.g., npm ci with a committed lockfile), and optionally verifying signatures/checksums for both source and resulting artifacts.

Confidence: 66%Severity: 60%
Audit Metadata
Analyzed At
May 19, 2026, 04:43 PM
Package URL
pkg:socket/skills-sh/tdimino%2Fclaude-code-minoan%2Frecordly%2F@1edafdd4b099ce48108de91c9c2660046e82e1bc
Security Audit — socket — recordly