# Scan Notes: MetaMask `web3auth-web`

Date: 2026-02-15  
Repo: https://github.com/Web3Auth/web3auth-web  
Program: HackerOne MetaMask (top-paying export)

## Quick Results

Semgrep (`p/security-audit` + `p/owasp-top-ten`):
- 0 findings

Trufflehog (filesystem, no verification):
- 1 detection in `scripts/wallet-registry-wc.json` at a Chrome Web Store URL (false positive).

## Next Places To Look (Manual)

- OAuth/login flows and redirect URL handling
- Any message passing / iframe / postMessage boundaries
- Wallet registry ingestion/update paths (supply-chain style risks)