gcloud-cli

The skill aligns with its stated purpose (managing Google Cloud resources via gcloud) but has medium security concerns centered on supply-chain and data persistence. The highest-risk findings: (1) recommending a curl | bash installer without integrity verification, which is a significant supply-chain vector, and (2) enforcing read/write of persistent agent memory files that can store sensitive context or credentials. Destructive actions (delete operations) increase operational risk unless confirmations are robustly enforced. Mitigations: avoid pipe-to-shell installs (use package managers or signed releases), eliminate or encrypt persisted memory of sensitive data, use least-privilege and short-lived credentials (impersonation where possible), and require strong human approval for destructive operations. With these mitigations the skill's security profile improves from medium to low/acceptable for controlled environments.