Yuque
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the token is broad, the agent may access or modify personal and team Yuque content within that token's permissions.
The skill requires a Yuque account token, which is expected for the service but gives the agent whatever Yuque account and workspace permissions that token has.
Yuque API Token (stored in environment variable `YUQUE_TOKEN`)... All API requests require an `X-Auth-Token` header with your Yuque token.
Use a dedicated, least-privilege Yuque token when possible, avoid sharing it in prompts or logs, and revoke or rotate it when no longer needed.
A mistaken namespace, document ID, or prompt could create or overwrite Yuque content in a personal or team space.
The included client can create and update Yuque documents, which is purpose-aligned but can mutate shared knowledge-base content.
return self._request("POST", f"/repos/{namespace}/docs", data) ... return self._request("PUT", f"/repos/{namespace}/docs/{id}", data)Confirm the target repository, document, and content before create or update operations, especially in team spaces or public repositories.
Some documented commands may fail, or a user might be tempted to obtain missing helper scripts from elsewhere without review.
SKILL.md references helper and reference files that are not included in the supplied file manifest, creating a small completeness/provenance gap for those documented commands.
`scripts/parse_yuque.py` - Parse Yuque HTML to Markdown; `scripts/search_yuque.py` - Search documents in repositories; `references/examples.md`
Use the included `scripts/yuque_cli.py` for reviewed operations, and only add missing helper scripts after inspecting their source.