creator-buddy

Warn

Audited by Socket on Jul 3, 2026

2 alerts found:

SecurityAnomaly
SecurityMEDIUM
SKILL.md
AnomalyLOW
skills/global-content-search/src/platforms/agentReach.js

No overt malicious payload behavior (e.g., exfiltration to attacker-controlled domains, persistence, or obfuscated backdoors) is evident in this specific module. However, the code has a meaningful security risk: it can execute an arbitrary binary specified by process.env.DOUYIN_COMMAND (arbitrary command execution if the environment can be influenced). Additionally, commandExists() uses a shell-based `sh -lc` with interpolated content (elevated risk pattern), and mcporter call strings embed user-derived values into a downstream interpreter. Overall risk is driven by host command-execution control and toolchain trust boundaries rather than direct malware in the snippet.

Confidence: 70%Severity: 65%
Audit Metadata
Analyzed At
Jul 3, 2026, 09:41 AM
Package URL
pkg:socket/skills-sh/zephyrwang6%2Fbaokuan-article-analysis%2Fcreator-buddy%2F@9aca5f1418d851ba58908a351f58e0513c3b8ca0
Security Audit — socket — creator-buddy