TL;DR of this Hypixel's post: The Mod sends your Minecraft session token to a remote server operated by them. What does this mean? Basically, they "reroute" your login token to their servers first, so therefore, they could be able to use it. In other words, they can steal your account's login abilities. As the original topic says, anybody is accusing the mod author(s) of having malicious intentions, but this is definitely a risk I wouldn't take. The Mod contains functionality that allows any files to be downloaded from a remote server to the user's computer without consent as well as some files being uploaded from the users computer. This also doesn't mean that it's implemented with malicious intents. It could very easily be a function to download updates and upload crash logs, but it's there.