gpc-setup

The skill aligns with its stated purpose of setting up and authenticating GPC, managing auth profiles, and diagnosing configuration issues. However, there are notable security concerns: (1) an explicit curl|bash installation from a raw GitHub URL without verifiable signatures or checksums presents a high supply-chain risk; (2) credentials are exposed through environment variables and may be cached in OS keychains, requiring careful handling and secure defaults; (3) data flows involve legitimate API usage but hinge on trust in the installation script and credential storage; (4) proxy/CA handling could be misused if TLS verification is weakened. Overall, the footprint is suspicious rather than benign due to the download-execute pattern and credential exposure potential. Treat as suspicious with strong emphasis on replacing the install method with verified, signed distribution (official registries, checksums) and minimizing credential exposure.