禅道自动报告

The skill automates Zentao work reporting but contains several security vulnerabilities. Specifically, scripts/match-tasks.sh and scripts/report.sh are vulnerable to code injection because they embed unsanitized shell variables (like $USER_DESC) directly into Python one-liners executed via 'python3 -c'. Additionally, the skill stores Zentao credentials in plaintext in $HOME/.config/zentao/.env and session cookies in /tmp/cookies.txt, which are insecure practices. While these appear to be unintentional flaws rather than intentional malware, they represent significant security risks.