tiangong-kb-course-fulltext-fetch
Warn
Audited by Socket on Jun 13, 2026
2 alerts found:
AnomalySecurityAnomalyscripts/course_fulltext_fetch.sh
LOWAnomalyLOW
scripts/course_fulltext_fetch.sh
The script itself shows no direct malware behavior (no explicit exfiltration or stealth), but it is a high-impact execution/conduit wrapper: it can fetch and run a runtime-resolved dependency (`npx ...@latest`), allows the executed command to be overridden via environment variables, and exports variables from a caller-supplied env_file into the CLI’s environment. These factors create meaningful supply-chain and configuration-driven risk. Additionally, when output redirection is enabled, fetched content is written to a caller-controlled path and may be leaked to stderr on failure.
Confidence: 100%Severity: 60%
SecuritySKILL.md
MEDIUMSecurityMEDIUM
SKILL.md
Audit Metadata