Using /usr/bin/security to interact with the keychain undermines its security mechanisms and makes it as secure as storing data on the file system with global read permissions. By default, Keychain entries grant password-less access to the app that created them. This means anyone able to execute code on the machine can call /usr/bin/security and access credentials without a password prompt.

I think this behaviour should be changed or a disclaimer should be added to the README, as it might currently give users a false sense of security.

I've experimented with the go-keychain (https://github.com/keybase/go-keychain) library, which uses API calls to communicate with the keychain, resulting in proper permissions being set. It could be a good candidate for replacing the /usr/bin/security logic. However, I've encountered one issue: Apple seems to rely on the checksum of the binary when granting permissions, so when the Go binary is rebuilt, it loses access to old secrets in the keychain.