ClawHub

Yapi

PassAudited by ClawScan on May 10, 2026.

Overview

This appears to be a legitimate YApi documentation helper, but it can run a YApi CLI/npm fallback, use YApi login state, and perform documentation syncs that may change shared API docs.

Before installing, confirm you trust the `yapi` CLI or npm fallback package, use only the intended YApi account/base URL, and require a manual review of dry-run output before allowing any real docs sync.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note
ASI04: Agentic Supply Chain Vulnerabilities
What this means

If the fallback is used, code from npm may run locally and interact with YApi data or authentication state.

Why it was flagged

The skill may run an unpinned npm package when the local `yapi` command is unavailable. This is disclosed and central to the skill purpose, but it introduces normal package-provenance risk.

Skill content
If missing, fallback to one-shot npx without forcing global install:

npx -y @leeguoo/yapi-mcp -h
Recommendation

Prefer a locally installed and reviewed `yapi` CLI where possible, or verify and pin the npm package before using the fallback.

Note
ASI03: Identity and Privilege Abuse
What this means

The agent may access YApi projects and interface documentation available to the logged-in account.

Why it was flagged

The skill uses YApi account authentication and references local auth cache files. This is expected for querying private YApi docs, but it means the agent may operate with the user's YApi account privileges.

Skill content
Confirm auth (`yapi whoami`), then run `yapi login` only when needed.

Config cache locations:
- Config: `~/.yapi/config.toml`
- Auth cache: `~/.yapi-mcp/auth-*.json`
Recommendation

Use an account or token scoped to the intended YApi projects, and avoid running this against accounts with broader access than needed.

Note
ASI02: Tool Misuse and Exploitation
What this means

A real sync could change API documentation visible to teammates or other YApi users.

Why it was flagged

The skill can perform a real docs sync after a dry run, which may update shared YApi documentation. The dry-run step is a useful guardrail, and the behavior matches the stated purpose.

Skill content
For docs sync tasks, do `--dry-run` first, then real sync.

yapi docs-sync --binding projectA --dry-run
yapi docs-sync --binding projectA
Recommendation

Review dry-run output and explicitly approve real syncs, especially for shared or production API documentation.