engagement-interaction

The package is a legitimate browser-automation tool for interacting with X/Twitter UI elements and does not show indicators of network exfiltration, obfuscated malware, or embedded credentials. However, it poses moderate security risk primarily due to dangerous usage patterns: paste-in-console delivery for the bulk-unlike script, an unbounded irreversible 'Unlike ALL' default, and exposure of a global controller object in page context. These increase the chance of accidental or malicious large-scale account changes if misused or if a session is compromised. Recommend: avoid advising users to paste scripts into DevTools; provide signed/hosted scripts or packaging; enforce conservative safe defaults (e.g., maxUnlikes default to a small number), require explicit multi-step confirmation for destructive actions, and document ToS/rate-limit and security warnings prominently.