📦
审计历史
hyperframes-creative - 2 审计
审计版本 2
最新 中风险Jun 30, 2026, 02:08 AM
The static scanner reported many critical and high findings, but most are false positives from design-language keywords, Markdown examples, and harmless words such as SAME. Real concerns remain: local helper scripts can execute npm, Node, and ffmpeg, and the design picker injects generated preview HTML with innerHTML.
67
已扫描文件
28,120
分析行数
12
发现项
codex
审计者
中风险问题 (4)
templates/design-picker.html:924-930templates/design-picker.html:1301-1304references/design-picker.md:41-43
Local HTML Injection Surface in Design Picker
The design picker renders generated preview_html and option data with innerHTML. The reference warns that preview_html must not contain scripts, event handlers, or javascript URLs, so misuse can create local XSS in the picker page.
scripts/package-loader.mjs:24-28scripts/package-loader.mjs:181-192scripts/package-loader.mjs:227-252
Local Dependency Bootstrap Executes npm and Re-runs Node
The package loader can install pinned helper packages into a temporary directory and re-run the current Node process. It uses confirmation, pinned specs, and --ignore-scripts, but it still executes local package-management commands.
ffmpeg Subprocess Processes User-Supplied Media
The audio extraction helper passes a user-provided media path to ffmpeg and writes JSON output. It avoids shell=True, but ffmpeg parsing of untrusted media is still a local processing risk.
frame-presets/blue-professional/caption-skin.html:29frame-presets/blue-professional/frame-showcase.html:7-10templates/design-picker.html:817-820
External Runtime and Font Dependencies
Several HTML assets load GSAP or fonts from external CDNs. These are normal presentation dependencies, but they create network access and supply-chain exposure during preview or rendering.
低风险问题 (3)
Static Critical Sensitive Findings Are Keyword Collisions
The reported Windows SAM database findings include prose such as SAME in comments, not access to Windows credential stores. I did not find evidence of SAM database reads.
frame-presets/blue-professional/FRAME.md:3-8references/design-picker.md:61-67palettes/monochrome.md:8-11
Static Weak-Crypto and C2 Findings Are Mostly Design Text
Many high findings are caused by terms inside frame presets, color descriptions, Markdown examples, and visual style labels. No evidence found of cryptographic routines or command-and-control behavior in those cited design files.
Prompt Injection Search Found No Direct Override Text
A targeted search for common instruction-override phrases found no evidence of embedded prompts telling the evaluator to ignore instructions, skip review, or change risk levels.
风险因素
🌐 网络访问 (3)
⚙️ 外部命令 (3)
📁 文件系统访问 (3)
⚡ 包含脚本 (3)
检测到的模式
innerHTML Assignment With Generated HTMLSynchronous Child Process ExecutionPython Subprocess Execution
审计版本 1
中风险Jun 27, 2026, 09:04 AM
The static scanner reported many critical and high findings, but most are false positives from design-language keywords, Markdown examples, and harmless words such as SAME. Real concerns remain: local helper scripts can execute npm, Node, and ffmpeg, and the design picker injects generated preview HTML with innerHTML.
67
已扫描文件
28,120
分析行数
12
发现项
codex
审计者
中风险问题 (4)
templates/design-picker.html:924-930templates/design-picker.html:1301-1304references/design-picker.md:41-43
Local HTML Injection Surface in Design Picker
The design picker renders generated preview_html and option data with innerHTML. The reference warns that preview_html must not contain scripts, event handlers, or javascript URLs, so misuse can create local XSS in the picker page.
scripts/package-loader.mjs:24-28scripts/package-loader.mjs:181-192scripts/package-loader.mjs:227-252
Local Dependency Bootstrap Executes npm and Re-runs Node
The package loader can install pinned helper packages into a temporary directory and re-run the current Node process. It uses confirmation, pinned specs, and --ignore-scripts, but it still executes local package-management commands.
ffmpeg Subprocess Processes User-Supplied Media
The audio extraction helper passes a user-provided media path to ffmpeg and writes JSON output. It avoids shell=True, but ffmpeg parsing of untrusted media is still a local processing risk.
frame-presets/blue-professional/caption-skin.html:29frame-presets/blue-professional/frame-showcase.html:7-10templates/design-picker.html:817-820
External Runtime and Font Dependencies
Several HTML assets load GSAP or fonts from external CDNs. These are normal presentation dependencies, but they create network access and supply-chain exposure during preview or rendering.
低风险问题 (3)
Static Critical Sensitive Findings Are Keyword Collisions
The reported Windows SAM database findings include prose such as SAME in comments, not access to Windows credential stores. I did not find evidence of SAM database reads.
frame-presets/blue-professional/FRAME.md:3-8references/design-picker.md:61-67palettes/monochrome.md:8-11
Static Weak-Crypto and C2 Findings Are Mostly Design Text
Many high findings are caused by terms inside frame presets, color descriptions, Markdown examples, and visual style labels. No evidence found of cryptographic routines or command-and-control behavior in those cited design files.
Prompt Injection Search Found No Direct Override Text
A targeted search for common instruction-override phrases found no evidence of embedded prompts telling the evaluator to ignore instructions, skip review, or change risk levels.
风险因素
🌐 网络访问 (3)
⚙️ 外部命令 (3)
📁 文件系统访问 (3)
⚡ 包含脚本 (3)
检测到的模式
innerHTML Assignment With Generated HTMLSynchronous Child Process ExecutionPython Subprocess Execution