eightctl

The manifest itself is not executable source code and contains no immediate malicious code, but it introduces moderate supply‑chain and credential exposure risk because it instructs fetching an unpinned external Go module (module@latest) and uses raw email/password stored in env vars or a local config. Recommend auditing the upstream repository, pinning releases, verifying network endpoints/telemetry, and switching to tokenized/authenticated approaches if available before trusting credentials.