tuoluo-company-api

The skill bundle contains significant security vulnerabilities in `scripts/api.sh`, primarily potential command injection risks where unsanitized shell variables (e.g., `$name`, `$admin_template`) are passed directly into `python3 -c` execution strings in `cmd_project_add` and `cmd_task_add`. Additionally, the script stores sensitive user credentials, including plain-text passwords, in a local `.api-config.json` file. While these appear to be unintentional coding flaws rather than intentional malware, they represent a high risk for exploitation.