Comment by jraph

Let's say they end up using Node. Node has a quite complete standard library that lets you access files and everything.

Now if they do it right and only embed some bare JS interpreter, it's still way harder to audit than these < 900 lines, for which it is quite easy to convince oneself that the interpreted script cannot do much.