My concern is about uploading avatars on behalf of others. I'm pretty certain that this violates the ToS, however this is something that is going on right now and for this reason should be addressed.

Currently, people who want to share their avatars, but respectfully do not want to share their unity packages with their assets are asking users to change their password and send them their credentials.

This is highly alarming and against best practices of authentication.

Say users get used to the idea of sharing their credentials, malicious attackers could start manipulating users, with the promise of an avatar, into handing over credentials.

It is my opinion that an upload API key is required to explicitly and strictly allow uploading on behalf of users. A key that could be generated and rolled from within the VRChat website and set to one-time-use or repeated-use.

I understand that this might be explicitly against the ToS, in terms of ownership of content, however this is very clearly not already being followed.

But in terms of securing credentials, I believe this is a worth while development. I also believe that this is better in terms of having more control and containment.