gog-onboard

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs the agent to receive raw client_secret JSON from the user and embed it verbatim in shell commands (e.g., echo '' | gog auth credentials
• and --auth-url ''), requiring the LLM to handle and output secret values directly.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This onboarding guide explicitly instructs users to paste OAuth client_secret JSON and the redirect URL into chat, to bypass "unverified app" warnings, and to enable broad Workspace APIs and persistent tokens—behavior that facilitates credential harvesting, social‑engineered consent, and long‑term unauthorized access/data exfiltration.