woven-sfx
Audited by Socket on Jun 28, 2026
1 alert found:
AnomalyThis fragment is primarily an untrusted network-to-filesystem downloader/installer. It fetches a remote JSON catalog and then writes downloaded content to disk at destinations derived from remote catalog fields (catalog.sounds[].file) without enforcing that writes remain within the intended library directory. That creates a meaningful supply-chain risk: if the catalog/CDN is compromised or manipulated, an attacker may overwrite or place files outside LIB_DIR (path traversal/absolute-path escape), and also control which network resources are fetched. There is no integrity/authenticity verification for the catalog or assets, increasing the impact of CDN or catalog tampering. No direct evidence of classic malware (e.g., reverse shell, credential theft, command execution of downloaded content) is present in this module; the main risk is unsafe handling of untrusted destination paths.