Salesforce API Integration

The skill bundle is benign. All `curl` commands across the various markdown files consistently target legitimate Salesforce API endpoints (`*.my.salesforce.com`, `login.salesforce.com`, `test.salesforce.com`) using environment variables `SF_ACCESS_TOKEN` and `SF_INSTANCE_URL`. The `SKILL.md` explicitly defines a narrow and secure scope, disallowing access to files outside `~/salesforce-api-integration/` and requests to non-Salesforce endpoints, which is adhered to by all other files. There is no evidence of data exfiltration, malicious execution (e.g., `curl | bash`), persistence mechanisms, or prompt injection attempts designed to subvert the agent's intended behavior. The `setup.md` file describes various authentication methods, including the username-password flow, but these are instructions for the user to set up their environment variables, not actions performed by the skill itself.