tempo-docs

Warn

Audited by Socket on Jul 6, 2026

4 alerts found:

Securityx2Anomalyx2
SecurityMEDIUM
src/components/guides/VirtualAddressesLiveDemo.tsx
AnomalyLOW
src/components/guides/steps/payments/AddFundsToOthers.tsx

No clear indicators of traditional malware (exfiltration, keylogging, backdoor network callbacks, or obfuscated payloads) exist in this module. However, it contains a high-severity security anti-pattern: a hardcoded mnemonic embedded in client-side code used to authorize token transfers to a user-supplied destination. Combined with environment-dependent branching, this creates a substantial risk of unintended/abusive transfers if deployed outside a strictly isolated test environment or if build/runtime configuration is incorrect. Recommend removing hardcoded mnemonic from client bundles, enforcing strict environment gating/allowlisting server-side, and using ephemeral/funded-by-user wallet signing instead.

Confidence: 74%Severity: 67%
SecurityMEDIUM
scripts/lighthouse.ts
AnomalyLOW
ai/plugins/tempo/skills/tempo-wallet/SKILL.md

SUSPICIOUS. The skill’s purpose broadly matches its capabilities, but it relies on a pipe-to-shell installer, routes requests and wallet activity through a proprietary CLI, and discourages independent verification. This looks more like a high-trust vendor integration than overt malware, with medium security risk from supply-chain and credential/payment mediation.

Confidence: 84%Severity: 64%
Audit Metadata
Analyzed At
Jul 6, 2026, 12:39 PM
Package URL
pkg:socket/skills-sh/tempoxyz%2Fdocs%2Ftempo-docs%2F@d3f52a721efb1cc3bd522f5428286d41cbd101bf
Security Audit — socket — tempo-docs