woven-sfx

Warn

Audited by Socket on Jun 28, 2026

1 alert found:

Anomaly
AnomalyLOW
scripts/pull-library.sh

This fragment is primarily an untrusted network-to-filesystem downloader/installer. It fetches a remote JSON catalog and then writes downloaded content to disk at destinations derived from remote catalog fields (catalog.sounds[].file) without enforcing that writes remain within the intended library directory. That creates a meaningful supply-chain risk: if the catalog/CDN is compromised or manipulated, an attacker may overwrite or place files outside LIB_DIR (path traversal/absolute-path escape), and also control which network resources are fetched. There is no integrity/authenticity verification for the catalog or assets, increasing the impact of CDN or catalog tampering. No direct evidence of classic malware (e.g., reverse shell, credential theft, command execution of downloaded content) is present in this module; the main risk is unsafe handling of untrusted destination paths.

Confidence: 72%Severity: 66%
Audit Metadata
Analyzed At
Jun 28, 2026, 03:22 PM
Package URL
pkg:socket/skills-sh/woven-video%2Fskills%2Fwoven-sfx%2F@ed12940debc1201f879e4336755c072107c8a84fb7e850e48782295067ee8705
Security Audit — socket — woven-sfx