Yapi
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the fallback is used, code from npm may run locally and interact with YApi data or authentication state.
The skill may run an unpinned npm package when the local `yapi` command is unavailable. This is disclosed and central to the skill purpose, but it introduces normal package-provenance risk.
If missing, fallback to one-shot npx without forcing global install: npx -y @leeguoo/yapi-mcp -h
Prefer a locally installed and reviewed `yapi` CLI where possible, or verify and pin the npm package before using the fallback.
The agent may access YApi projects and interface documentation available to the logged-in account.
The skill uses YApi account authentication and references local auth cache files. This is expected for querying private YApi docs, but it means the agent may operate with the user's YApi account privileges.
Confirm auth (`yapi whoami`), then run `yapi login` only when needed. Config cache locations: - Config: `~/.yapi/config.toml` - Auth cache: `~/.yapi-mcp/auth-*.json`
Use an account or token scoped to the intended YApi projects, and avoid running this against accounts with broader access than needed.
A real sync could change API documentation visible to teammates or other YApi users.
The skill can perform a real docs sync after a dry run, which may update shared YApi documentation. The dry-run step is a useful guardrail, and the behavior matches the stated purpose.
For docs sync tasks, do `--dry-run` first, then real sync. yapi docs-sync --binding projectA --dry-run yapi docs-sync --binding projectA
Review dry-run output and explicitly approve real syncs, especially for shared or production API documentation.