gogcli

[Skill Scanner] Installation of third-party script detected The skill fragment describes a plausible gogcli workflow with installation, API enablement, OAuth client setup, credential storage, and usage. While not inherently malicious, the presence of Playwright-driven automation for OAuth setup and manual credential reconstruction raises security concerns around secret handling and supply-chain trust (non-official Brew tap). Recommend validating the official source, limiting scope, securing credential storage, and avoiding manual or UI-scraped credential extraction in production usage. LLM verification: This SKILL.md is functionally coherent with its stated purpose (installing and configuring a Google Workspace CLI) and all described API calls are to legitimate Google endpoints. However, there are meaningful supply-chain and operational risks: the primary distribution uses a third-party Homebrew tap (petergriffin42/tap) without provenance checks, Playwright-assisted setup instructions encourage automated reading and snapshotting of the GCP Console (which may capture client IDs/secrets and token