direct-messages

Functionally, the package matches its stated purpose: it provides client-side tools (console scripts) to bulk-send and manage DMs on X. There is no explicit evidence in the provided fragment of built-in remote exfiltration, hard-coded credentials, or obfuscation. The main risks arise from the distribution/execution method (paste-into-console), the high privileges granted by acting in the user's authenticated session (read and send private messages), and client-side persistence (localStorage) that exposes metadata. Treat this as a medium security risk: safe if audited and run by a knowledgeable operator in a controlled environment, but dangerous if used blindly or after modification. Apply strict operational controls (audit code before paste, use dryRun, remove persisted data, avoid exports) and avoid running on high-value accounts without review.