The main security-audit tool is plausible, but the package also contains undisclosed unrelated scripts that can send chat messages and process payment files.
Review before installing. Use the audit script only if you are comfortable with it inspecting local configuration, environment-variable names, git history, ports, and writing reports. Do not run or keep the unrelated reminder and payment scripts unless you explicitly need them; rotate the exposed WeCom webhook if it belongs to you, and review/redact any audit report before sending it to Feishu or any webhook.