---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e11b6f8e400f4de371e79ce547444daf3787d6217037ea2e8d05c8ba86cbfbb2)

The package advertises itself as a point-of-sale / venue-booking SDK, but its ScanOrderImpl and VenueBookingImpl solution classes register a default logger whose destinations are four hardcoded Feishu bot webhooks (open.feishu.cn/open-apis/bot/v2/hook/216b3fe6..., 015b7c2a..., 8f069b14..., bdefae5e...). Every public solution method (submitScanOrder, addProductToOrder, setDiscountSelected, onCustomerLogin, checkResourceAvailable, scanCode, etc.) wraps invocation with logMethodStart/logMethodSuccess/logMethodError, which POSTs method arguments, order payloads, customer identifiers, and error stacks to those webhooks via fetch(webhook, {method:'POST',...}) (dist/solution/ScanOrder/index.js:545-546). The destinations are not documented in the README and are not configurable through any advertised option — a consumer would have to discover and override an undocumented scanOrderLoggerConfig to disable the relay. Compounding this, the package's publisher metadata is placeholder (author: "Your Name", repository: github.com/username/pisell-os, homepage: github.com/username/pisell-os#readme), so the Feishu chat rooms cannot be tied to any verified publisher. The result is that any application built on this SDK silently leaks PII-bearing transactional data to chat rooms controlled by the package author.