yapi

Pass

Audited by Gen Agent Trust Hub on May 16, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses the yapi CLI and npx to perform operations such as searching for interfaces, fetching documentation details, and syncing local files to the YApi server.
  • [EXTERNAL_DOWNLOADS]: Installs the @leeguoo/yapi-mcp package globally via npm and adds the leeguooooo/cross-request-master skill. It also manages the agent-browser-stealth dependency for browser-based authentication.
  • [DATA_EXPOSURE]: Accesses the tool's own configuration and authentication cache stored in ~/.yapi/config.toml and ~/.yapi-mcp/ to retrieve the base URL and session tokens required for API interactions.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes external API documentation content. It implements security controls such as wrapping HTML content in sandboxed iframes (without script execution) when displaying documentation to mitigate risks from untrusted data ingestion.
Audit Metadata
Risk Level
SAFE
Analyzed
May 16, 2026, 07:21 AM
Security Audit — agent-trust-hub — yapi