add-sfx

This module is an automated CDN-backed asset downloader, not an obvious standalone malware component. However, it has a meaningful supply-chain security weakness: an untrusted remote catalog directly influences the filesystem write destination via catalog.sounds[*].file, with no enforcement that writes remain within the intended LIB_DIR (absolute paths and traversal-like segments are plausible). It also lacks checksum/signature verification for downloaded content. If the CDN/catalog can be tampered with, this could enable overwriting arbitrary files on the host running the script.