Comment 3 for bug 1575328

Two thoughts on mitigation:

1. We could unset any auth-related environment variables before loading commands when help (the only case when we indiscriminately load code, afaict) to hide the values from plugins, which would then need to ask the app for an auth handle and we don't let them do that during help.
2. We could add a check using the EnabledExtensionManager to require plugins to be installed into the global site-packages (or more flexibly, into the same site-packages where python-openstackclient is installed).

I agree with Morgan that we should also document this.