embedded-captions

This module is best characterized as a local rendering/QA harness that inspects a GSAP-like timeline-driven page and reports text that renders off-frame. It does not itself implement obvious malware behaviors (no explicit exfiltration, credential access, or filesystem modification). The key security concern is dynamic runtime resolution and require() of the puppeteer module from broad, environment- and home-influenced directories, which could enable dependency/path hijacking if an attacker can write to or influence those locations. Additionally, it launches Chrome with '--disable-web-security' and '--allow-file-access-from-files', increasing impact if the target HTML or its imported resources are untrusted.