skills/postplusai/postplus-skills/xiaohongshu-account-research/Socket

xiaohongshu-account-research

Warn

Audited by Socket on May 8, 2026

1 alert found:

Anomaly

Anomaly_postplus_shared/00-core/shared-runtime/scripts/lib/hosted_media_generation_bridge.mjs

LOW

AnomalyLOW

_postplus_shared/00-core/shared-runtime/scripts/lib/hosted_media_generation_bridge.mjs

No clear evidence of intentional malware/backdoor behavior is present in this module alone. However, it provides powerful capabilities: it can read arbitrary local files (via resolved localFilePath) and write arbitrary files (via resolved outputPath) using remote-provided base64 content, with minimal validation/containment. If upstream callers or the bridge supply untrusted paths/urls/content, this can enable data exfiltration (upload) and unintended file overwrite or persistence-like impact (download).

Confidence: 62%Severity: 63%

Audit Metadata

Analyzed At

May 8, 2026, 06:37 AM

Package URL

pkg:socket/skills-sh/PostPlusAI%2Fpostplus-skills%2Fxiaohongshu-account-research%2F@54edb735a0068ec69e3c52f8864e496c33276528