jyml

PassAudited by ClawScan on May 16, 2026.

Overview

This looks like a straightforward YAML/JSON converter skill, with the main caveat that it asks users to install or run an external npm CLI.

This skill appears safe for normal YAML/JSON conversion tasks. Before use, confirm you trust the external npm package and review the output path so it only creates or overwrites files you intend to convert.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Installing or running the npm package could affect the local environment if the package or its dependencies are untrusted.

Why it was flagged

The skill relies on an external npm package that is not included in the provided artifacts. This is expected for a CLI wrapper, but users should recognize that npm/npx will run code from that package.

Skill content

npm install -g jyml

# Or use npx for one-off conversions
npx jyml <file>

Recommendation

Verify the npm package and publisher before installing, and prefer user approval before running npm install or npx.