Zentao API Skills（禅道 API 技能）

The skill bundle provides a comprehensive integration for the ZenTao API but contains a significant shell injection vulnerability in its authentication flow. The file 'scripts/get-token.sh' is designed to be executed via 'eval' by the AI agent (as instructed in 'SKILL.md'), but it outputs user-controlled variables (ZENTAO_URL, ZENTAO_TOKEN, ZENTAO_ACCOUNT) without sanitization. A maliciously crafted ZENTAO_URL could lead to arbitrary command execution on the host system when the agent evaluates the script's output. Additionally, the skill stores sensitive credentials in plaintext within '~/.zentao-token.json'. While these appear to be unintentional security flaws in a legitimate tool from the official ZenTao ecosystem (easysoft/chandao.com), they present a high risk of exploitation.