test-ui

No direct evidence of malware in this documentation fragment; the package provides powerful automation features that require care. Primary risks: plaintext persistence of injected authentication (.auth-session.json), arbitrary-page JS execution (evaluate.js) enabling possible data exfiltration if misused, and reliance on correct working directory causing accidental exposure. Recommend: inspect the actual inject-auth.js and evaluate.js implementations for input validation and safe handling, ensure .auth-session.json is either disabled by default or created with restrictive permissions (600) and opt-in persistence, avoid passing sensitive tokens on shared shells or CI, and treat evaluate.js usage as executing untrusted code — limit inputs and/or sandbox them. If used in CI or shared environments, do not persist auth and prefer ephemeral credentials.

This script intentionally executes user-provided JavaScript inside a browser page context (via page.evaluate + eval) and navigates to user-provided URLs without validation. The code itself does not contain obvious malware, obfuscation, or hardcoded secrets, but it provides a powerful primitive that can be abused to read sensitive page data or perform exfiltration when given untrusted input. Treat use of this tool as high-risk if scripts or URLs can be influenced by untrusted parties; otherwise it is expected functionality for a browser automation CLI.