wechat-post-publisher

This module is consistent with a local environment/permission diagnostic utility and does not show clear malware behavior (no exfiltration, no persistence, no eval/obfuscation, no suspicious networking). However, it performs several high-sensitivity actions: it compiles/runs generated Swift code and writes to the user’s macOS clipboard, and it invokes 'npx -y bun --version' which is a meaningful supply-chain/runtime execution surface. Overall risk is moderate: review/control of the 'npx' usage and user-facing side effects (clipboard modification) are the primary security concerns.

No clear evidence of intentional malware (no eval/backdoor/stealthy exfiltration). However, there are meaningful security risks: (1) runtime execution via `npx -y bun` can introduce a supply-chain/execution surface independent of this package; (2) it can read arbitrary local files for image/cover paths derived from HTML/CLI without strong allowlisting, which could lead to local file disclosure if inputs are attacker-controlled. Access tokens are also sent in query strings, which may leak via logs/proxies.