extract-page-data

This module is a DOM-to-Markdown extractor wrapper, but it uses a high-risk execution pattern: it reads a local JavaScript file as text and executes it inside the browser context via new Function. As a result, if ../inject/extract-markdown.js is tampered with (supply-chain/sideload compromise), arbitrary script could run against the page DOM and return sensitive content to Node. The selector option is also unvalidated and can expand or alter the DOM scope processed by the helper. No explicit malware behaviors are visible in this fragment, but the delegation/eval-like mechanism warrants security review of the injected helper’s provenance and contents.

This snippet is primarily a DOM-scraping wrapper, but it has a significant supply-chain/sandbox integrity risk: it reads a local packaged script and executes it in the page context via new Function inside page.evaluate without any integrity verification. No explicit malicious activity (e.g., exfiltration or credential theft) is visible in this module itself, but compromise/tampering of the injected helper would enable arbitrary page-context behavior.

No explicit malicious payload is evident in this snippet, but it performs runtime download/install and dynamic import of executable code (Playwright) from a user-writable cache directory, and it launches Chromium with security-reducing flags ('--no-sandbox' and '--disable-web-security'). If an attacker can influence URLs, CDP endpoints, or the download/install artifacts (network/mirror/tampering), the potential security impact is significant. Mitigate by pinning/verifying dependency versions and downloads (integrity checks), reducing or removing weakened browser flags, and avoiding runtime installs in favor of pre-audited locked dependencies.