Social Login

• low · GitHub token persisted in settings for repo access — In maybeStoreGithubToken() (src/Extension.php), an admin's GitHub access token with 'repo' scope is stored in Settings('github.token') so the store owner can read private repos. This is documented/opt-in (social.github.repos), but persisting a high-privilege OAuth token broadens impact if the settings store is compromised. No external exfiltration occurs.
• low · Account auto-link by email may be unverified for some providers — findOrCreateUser() links to an existing local account by matching profile email. For GitHub/Google verification is checked for email_verified_at, but the email-based account *takeover* match itself does not strictly require provider-verified email before linking to a pre-existing user with the same address. Risk is limited since providers used generally return verified primary emails, but worth hardening.
• low · Admin page posts to window.parent — adminPage() script calls window.parent.postMessage with location.origin as targetOrigin (correctly scoped). Benign toast integration; no data leakage beyond same origin.

Automated review of v1.1.0 by claude-opus-4-8 1 week ago. This is an automated signal to aid your judgment — not a guarantee.