yao-weread-skill

Warn

Audited by Socket on May 18, 2026

1 alert found:

Security
SecurityMEDIUM
examples/ai-founder-report/weread-report.html

This module is primarily UI chart rendering and resizing, but it contains a high-impact dynamic execution mechanism: reviveFunctions uses new Function to execute any option string beginning with 'function('. If CHARTS/item.option can be influenced by an attacker, the code can execute arbitrary JavaScript in the browser. No direct exfiltration/backdoor behavior is evident in the snippet; the dominant risk is code-execution capability via configuration revival.

Confidence: 62%Severity: 70%
Audit Metadata
Analyzed At
May 18, 2026, 02:09 AM
Package URL
pkg:socket/skills-sh/yaojingang%2Fyao-open-skills%2Fyao-weread-skill%2F@57501dab9babc1f9dbdf5a0a951c7e9d854f9204
Security Audit — socket — yao-weread-skill