Yapi

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a YApi documentation helper whose npm execution, config reading, and local sync files fit its stated purpose.

Before installing, review the npm package source and only run sync commands when you intend to modify local project metadata. Keep YApi tokens in the config file scoped to the projects you want the skill to manage.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill instructs the agent to run docs-sync commands that write to repository files such as `.yapi/docs-sync.json` and related mapping outputs, but it does not explicitly warn that these commands modify the working tree or require user confirmation before doing so. In an agent setting, this can lead to unintended local file changes, accidental commits, or overwriting project metadata when a user only intended to inspect documentation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal