xactions-cli

This repository is a standard-seeming command-line scraper for X/Twitter that requires a browser session token (auth_token) and uses Puppeteer to automate browsing. The main security concerns are: (1) explicit user instruction to extract and paste a sensitive session cookie, and (2) storing that token in a plaintext file (~/.xactions/config.json) which increases the risk of token theft if the environment or package is compromised. There are no explicit references to external attacker-controlled endpoints, obfuscated payloads, or automatic exfiltration in the supplied text, so I find no confirmed malicious code. However, the credential handling and download/execute surface (Puppeteer browser binaries, global install) make this package a moderate supply-chain risk: treat auth_token handling carefully, prefer ephemeral/session-limited tokens, and audit any network calls or post-install scripts before using in sensitive environments.