creator-buddy
Warn
Audited by Socket on Jul 3, 2026
2 alerts found:
SecurityAnomalySecuritySKILL.md
MEDIUMSecurityMEDIUM
SKILL.md
Anomalyskills/global-content-search/src/platforms/agentReach.js
LOWAnomalyLOW
skills/global-content-search/src/platforms/agentReach.js
No overt malicious payload behavior (e.g., exfiltration to attacker-controlled domains, persistence, or obfuscated backdoors) is evident in this specific module. However, the code has a meaningful security risk: it can execute an arbitrary binary specified by process.env.DOUYIN_COMMAND (arbitrary command execution if the environment can be influenced). Additionally, commandExists() uses a shell-based `sh -lc` with interpolated content (elevated risk pattern), and mcporter call strings embed user-derived values into a downstream interpreter. Overall risk is driven by host command-execution control and toolchain trust boundaries rather than direct malware in the snippet.
Confidence: 70%Severity: 65%
Audit Metadata