Could we solve this via a OpenML authenticator? So you'd switch from github auth to openmlauth?

If you make a new authenticator then handling the API token is easy. The hub can then make requests to OpenML authenticated as the user. Similar to what is done for forking/pushing to repos on github.

these variables should be used not from the code of everware, but from user notebook instead. so decided that:

if one provides params=value in launch URL , those params get into environment
also could be string field (and list of already set variables) that user can specify at the same page as github repo is specified.
Anyway parameter parsing should be rather strict to avoid possible injections

To make it a little less scary (think a bit.ly like link where the parameters are hidden from the user) would be to prefix all the variables before injecting them.

This way evil people can't overwrite your PS1 but only EVR_PS1 or what ever variable they are specifying.

I wonder why CI severs like travis or circle don't see anything bad in overriding PS1? )
one upside of having variables without prefix is for example one can setup same variable in several systems (everware and travis) and his/her study would run equally on both systems. If we introduce prefix, he/she would have take care of this prefix inside travis, which would look rather cumbersome. in other words I'd stay for a bit without prefix and if it would hurt, introduce it afterwards.