wps-airpage

No definitive malicious/backdoor behavior is evident in this module alone (no eval/obfuscation and no explicit network exfiltration code here). The security posture is still concerning due to (1) automatic runtime npm installation when node_modules is missing, (2) installation of chrome-devtools-mcp via npx/claude using an unpinned @latest version, (3) persistent handling of high-value Cookie/CSRF secrets, (4) spawning a local auth-browser helper when requested, and (5) ability to read arbitrary local files via '@filepath' and then use their contents as payloads for remote operations. Overall, treat as a supply-chain and secret-handling sensitive CLI and verify/pin dependency versions and inspect the delegated modules before use.

This module is primarily a credential-harvesting automation utility: it uses a persistent browser profile to collect WPS/KDocs session cookies and extracts a CSRF token from the authenticated web app, then saves both locally via `saveCredentials`. Such behavior is security-critical (session hijack risk if the saved credentials or profile directory are compromised). Additional risk comes from runtime dependency installation/downloading and launching Chromium with `--no-sandbox`. While the network targets appear to be the legitimate kdocs domain, the credential capture and persistence pattern makes this a high security risk component that warrants strict review of `saveCredentials`, storage permissions, distribution intent, and threat model.