gog-onboard

The document is an operational skill for using the 'gog' CLI to control Google Workspace and appears functionally legitimate. It contains no direct code-level malware or obfuscated payloads in the provided text. However, the described operator-mediated setup (pasting client_secret JSON and redirect URLs into chat) and installation via a third‑party Homebrew tap create meaningful supply‑chain and credential-exposure risks. Recommend: never paste client_secret JSON into chat; prefer browser-based OAuth where secrets remain on the user's host, or use short-lived authorization codes only; verify and pin the gog binary (checksums/signatures) before installing; run the binary in a sandboxed environment and audit network calls; minimize OAuth scopes and rotate credentials after use. If these mitigations cannot be enforced, treat the workflow as high-risk.