group-tech-design

SUSPICIOUS. The skill’s behavior is broadly aligned with its purpose and uses seemingly direct Yuque-style operations, but it requires a group token and routes actions through an external yuque-mcp server with only partially verifiable provenance. This is not confirmed malicious, yet the credential-forwarding and third-party MCP trust make it a medium-risk skill.