postiz

This module is a straightforward third-party widget loader. It does not show overt malicious logic in the snippet itself, but it dynamically executes external JavaScript from a third-party domain without integrity/SRI verification and passes a hardcoded tenant/identifier via data attributes. The main risk is supply-chain/trust: if the hosted embed script is compromised or behaves maliciously, it could affect the hosting page.