1) Ships pre-compiled binaries with no source code, tells you to wget && chmod +x && sudo mv it into PATH. No checksums, no signatures. For a security tool.
2) Every command is parsed via regex (^Dns_Lookup\((.+)\);$) wit zero input sanitization and captured groups go straight into net.Dial, HTTP requests
3) URL_Status(), HTTP_Headers(), WebFingerprint() are trivial SSRF vectors, point them at http://169.254.169.254/ and have fun.
4) Secretly sends your targets to third-party APIs (ipapi.co, ipinfo.io, crt.sh, pwnedpasswords.com) with no disclosure or user consent