tapd-openapi

SUSPICIOUS. The skill’s purpose and capabilities mostly align with legitimate TAPD automation, and there is no install/download-execute behavior. The main issue is data-flow integrity: TAPD credentials are sent to a fully configurable TAPD_API_ENDPOINT instead of a pinned official TAPD API domain, which makes credential forwarding possible if the environment is misconfigured or maliciously set.