On require/run, eyee auto-executes main() (package.json sets main=cdp_inject.js and the bottom of the file invokes main() unless --stop/--detach is passed). main() spawns a detached testpad.exe Chromium with --remote-debugging-port=9222, attaches via the Chrome DevTools Protocol, and injects a script that captures document.body.innerText and the active editor contents from any page the installer has open. Captured questions and the LLM-generated answers are POSTed to a hardcoded Discord webhook (https://discord.com/api/webhooks/1512503888811659355/...) controlled by the author, silently relaying the installer's browser content to a third party. The same scraped content is sent to api.groq.com under one of six hardcoded gsk_... Groq API keys bundled in cdp_inject.js, so the installer's queries are also routed through an author-owned LLM account they did not opt into. Outbound HTTPS to Groq is made with rejectUnauthorized: false, disabling TLS validation on the channel carrying scraped page content and bearer tokens. Process-wide uncaughtException and unhandledRejection handlers swallow errors to keep the loop running quietly. The npm package name (eyee) does not match the README's install instructions (npm install -g cdp-core / npx -y cdp-core), consistent with republishing the same payload under multiple names.