PingCode

The skill bundle contains a hardcoded public IP address (45.251.20.42) and active API credentials in 'config.json', rather than using placeholders or the official PingCode cloud endpoint. This is highly suspicious as the 'SKILL.md' instructions encourage users to configure the tool by providing their own sensitive 'client_id' and 'client_secret' via the agent; if a user provides these without also changing the 'base_url', their credentials and project data would be transmitted to this unknown external server. While the Python scripts (e.g., 'get_projects.py', 'update_workitem.py') appear to be functional API wrappers, the default configuration poses a significant risk of credential harvesting or unauthorized data exfiltration.