yao-weread-skill
Warn
Audited by Socket on May 18, 2026
1 alert found:
SecuritySecurityexamples/ai-founder-report/weread-report.html
MEDIUMSecurityMEDIUM
examples/ai-founder-report/weread-report.html
This module is primarily UI chart rendering and resizing, but it contains a high-impact dynamic execution mechanism: reviveFunctions uses new Function to execute any option string beginning with 'function('. If CHARTS/item.option can be influenced by an attacker, the code can execute arbitrary JavaScript in the browser. No direct exfiltration/backdoor behavior is evident in the snippet; the dominant risk is code-execution capability via configuration revival.
Confidence: 62%Severity: 70%
Audit Metadata