peep

SUSPICIOUS: The skill’s Twitter-focused capabilities mostly match its stated purpose, and its network destination appears proportionate, but it requires highly sensitive browser/session credentials and is distributed through a low-trust personal repo with evidence of a separate-domain curl|sh installer. This is more consistent with a high-risk third-party account automation tool than confirmed malware.

This fragment describes a high-risk credential/session abuse workflow: it targets local browser cookie stores and CT0/auth tokens (including direct CLI/env token provision) and then uses those secrets to execute authenticated “whoami” requests. Even without the underlying implementation, the described source-to-sink paths are strongly aligned with session hijacking and account/token replay. This should be treated as a suspicious package capability and reviewed/controlled (e.g., avoid use in untrusted environments, restrict access to browser profiles, and inspect the actual tool implementation for outbound destinations and data handling).