yuki

SUSPICIOUS: The skill's purpose and capabilities are broadly aligned, and the install source is an official npm package tied to the same vendor, so this is not overt malware. However, the integration routes Yuki access through Membrane as an intermediary, creating third-party credential/data exposure and a broader trust boundary than a direct Yuki integration; combined with mutable CLI install/exec instructions and broad proxy capabilities, this makes the skill medium risk.