yapi

SUSPICIOUS: the skill’s YApi query/sync purpose is plausible, but it depends on a third-party personal skill/package chain, installs another skill transitively, and forwards YApi credentials into that external CLI. Data flow mostly matches the stated purpose, yet install trust and credential forwarding are disproportionate enough to warrant medium-high risk.