nopal-setup

SUSPICIOUS. The skill's purpose and capabilities mostly align, and install/network paths appear official, but it materially weakens credential handling by directing export of unmasked Google OAuth credentials into a plaintext file for agent use. This is not confirmed malware, yet it creates a meaningful local credential exposure risk around an external CLI that bundles native binaries.