baoyu-post-to-wechat

This module primarily performs WeChat posting automation, but it contains a high-risk supply-chain/security abuse behavior: it captures the WeChat login QR code from the browser and sends it to Telegram using bot credentials from environment variables. That is direct exfiltration of authentication-enabling material. Additionally, it heavily relies on CDP Runtime.evaluate with dynamically constructed expressions and executes local helper binaries via spawnSync, increasing overall risk. No direct system compromise primitives (e.g., reverse shell, file erasure) are evident in this fragment, but the QR-to-Telegram capability makes the package potentially malicious/abusive depending on its usage context.