This file implements a DSL interpreter that executes external script files and dynamically loads modules. The combination of eval() on script content and requiring manifest-specified modules (which are then invoked with full interpreter context) presents a high security risk: an attacker who can modify Door.json, .du scripts, or local module files can execute arbitrary code in the host process. There is no robust sandboxing, no strong input validation, and only weak ad-hoc regex filtering. The package should be treated as high-risk for supply-chain and local-file tampering scenarios. Mitigations: avoid running this with untrusted inputs, restrict filesystem permissions, validate and sign manifests and scripts, or run the interpreter in a properly isolated environment (Node vm with restricted globals or separate process with least privilege).
Live on npm for 3 hours and 14 minutes before removal. Socket users were protected even while the package was live.