dakboard

The skill is classified as suspicious due to the handling of the `DAKBOARD_API_KEY`. While the `SKILL.md` and the Python script's internal manifest transparently declare that the API key is sent to `https://dakboard.com/api/`, the `scripts/dakboard.py` file implements this by appending the API key directly as a URL query parameter (`?api_key=...`) for every request. This method of transmitting sensitive credentials is a significant security vulnerability, as API keys in URLs can be logged by web servers, proxies, and network monitoring tools, increasing the risk of exposure and compromise of the DAKboard account. There is no evidence of intentional malicious behavior such as exfiltration to unauthorized endpoints, local file system manipulation, or prompt injection against the agent.