baoyu-post-to-wechat

This code is a legitimate-appearing, purpose-built WeChat editor automation tool, but it performs high-privilege operations: it executes JavaScript in the automated browser context via eval-like commands and includes a sensitive fallback that reads local files using fetch('file://...') and uploads them. No explicit credential theft, persistence, or obvious malicious network behavior is present in this module; however, the eval capability and local-file-to-browser fallback make the supply-chain security risk meaningfully elevated and dependent on the safety of the agent-browser binary and runtime trust model.