tempo-docs
Audited by Socket on Jul 6, 2026
4 alerts found:
Securityx2Anomalyx2No clear indicators of traditional malware (exfiltration, keylogging, backdoor network callbacks, or obfuscated payloads) exist in this module. However, it contains a high-severity security anti-pattern: a hardcoded mnemonic embedded in client-side code used to authorize token transfers to a user-supplied destination. Combined with environment-dependent branching, this creates a substantial risk of unintended/abusive transfers if deployed outside a strictly isolated test environment or if build/runtime configuration is incorrect. Recommend removing hardcoded mnemonic from client bundles, enforcing strict environment gating/allowlisting server-side, and using ephemeral/funded-by-user wallet signing instead.
SUSPICIOUS. The skill’s purpose broadly matches its capabilities, but it relies on a pipe-to-shell installer, routes requests and wallet activity through a proprietary CLI, and discourages independent verification. This looks more like a high-trust vendor integration than overt malware, with medium security risk from supply-chain and credential/payment mediation.