yapi
Pass
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
yapiCLI andnpxto perform operations such as searching for interfaces, fetching documentation details, and syncing local files to the YApi server. - [EXTERNAL_DOWNLOADS]: Installs the
@leeguoo/yapi-mcppackage globally via npm and adds theleeguooooo/cross-request-masterskill. It also manages theagent-browser-stealthdependency for browser-based authentication. - [DATA_EXPOSURE]: Accesses the tool's own configuration and authentication cache stored in
~/.yapi/config.tomland~/.yapi-mcp/to retrieve the base URL and session tokens required for API interactions. - [INDIRECT_PROMPT_INJECTION]: The skill processes external API documentation content. It implements security controls such as wrapping HTML content in sandboxed iframes (without script execution) when displaying documentation to mitigate risks from untrusted data ingestion.
Audit Metadata