Trust Assessment
yapi received a trust score of 77/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 2 medium, and 0 low severity. Key findings include Command Injection via unsanitized user input to CLI, Access to sensitive credentials in configuration file, Unpinned third-party dependencies.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Command Injection via unsanitized user input to CLI The skill explicitly instructs the use of the `yapi` CLI with parameters derived from user-provided URLs or other inputs (e.g., `api_id`, `binding`, `path`). If these inputs are not properly sanitized before being passed to the shell command, an attacker could inject arbitrary shell commands. For example, an `api_id` like `123; rm -rf /` could lead to critical system compromise. Implement robust input validation and sanitization for all user-derived parameters passed to shell commands. Consider using a library that safely escapes shell arguments or, if possible, using direct API calls instead of shell commands to avoid shell injection risks entirely. | LLM | SKILL.md:16 | |
| MEDIUM | Access to sensitive credentials in configuration file The skill explicitly states it will 'Load config from `~/.yapi/config.toml`'. This file is documented to contain sensitive information such as `email/password or token`. While the skill does not explicitly state it will exfiltrate this data, loading it into the skill's context makes it vulnerable to exposure if the skill's internal state is compromised (e.g., via prompt injection) or if there are other vulnerabilities that could lead to data exfiltration. Minimize the scope of loaded configuration to only necessary, non-sensitive parameters. If credentials must be loaded, ensure they are handled with extreme care, never logged, and never exposed in output. Consider using secure credential storage mechanisms or environment variables instead of file-based storage for sensitive data. | LLM | SKILL.md:56 | |
| MEDIUM | Unpinned third-party dependencies The skill instructs the installation of `@leeguoo/yapi-mcp`, `mmdc`, and `pandoc` without specifying exact versions. This exposes the skill to supply chain risks, where a malicious update to an unpinned dependency could introduce vulnerabilities or backdoors. Additionally, `@leeguoo/yapi-mcp` might be a non-official or typosquatted package, increasing the risk of using an untrusted source. Pin all third-party dependencies to specific, known-good versions. Verify the authenticity and reputation of all dependencies, especially those installed globally. Consider using a dependency lock file (e.g., `package-lock.json`, `pnpm-lock.yaml`) to ensure deterministic builds and prevent unexpected changes. | LLM | SKILL.md:35 |
Scan History
Embed Code
[](https://skillshield.io/report/bb29fd07304c6e41)
Powered by SkillShield