advanced-account-setup

SUSPICIOUS. The skill's capabilities largely match its stated OpenFunnel account-setup purpose, and the integrations align with OpenFunnel's documented product surface. The main concern is trust and transparency: all sensitive auth and API operations are delegated to unseen local shell scripts that store credentials in .env and process OAuth callback data. This is not clearly malicious, but the hidden wrapper layer makes credential handling and network behavior only partially verifiable.

No clear malware behavior is evident in this fragment (single fixed HTTPS destination, no persistence/backdoor/exfil beyond intended API authentication). The primary security risk is the use of `source` on a discovered `.env` file discovered via directory traversal, which can enable arbitrary command execution if the `.env` contents/location are attacker-controlled. METHOD/ENDPOINT are unvalidated and could cause unintended requests, but they do not appear to enable arbitrary host targeting in this snippet.

This module appears to be a legitimate sign-up/verification helper that communicates only with a fixed OpenFunnel API domain and stores returned credentials locally as intended by the script’s comments. However, it carries moderate security/abuse risk due to sensitive API key persistence to a local .env file, fragile parsing of JSON responses using grep/cut, and unescaped JSON construction from user-controlled inputs (risk of malformed/manipulated payloads). No strong indicators of overt malware or supply-chain sabotage are present in this fragment, but the credential-handling and parsing approach should be reviewed and hardened (e.g., JSON escaping and a proper JSON parser) before use in security-sensitive environments.