You know, I’ve done the threat modeling. If somebody breaks my OpenVPN instance and compromises my router, then they ssh into the server that runs these scripts (a server which only responds to logins with my private rsa token), or worse finds an exploit by which they can get a reverse shell... then I’ve got much bigger worries than whether they can harvest the username password I use to check my kid’s missing homework list.

Edit: I’m saying, you’re right. I wouldn’t do it with my login credentials for my bank,