ydc-ai-sdk-integration

This SKILL file is consistent with its stated purpose (integrating You.com tools into Vercel AI SDK apps). There is no evidence of direct malicious code, obfuscation, or explicit exfiltration to attacker-controlled endpoints. The primary risks are legitimate and expected for this functionality: (1) indirect prompt injection because web content (including full-page HTML) is inserted into the model context; (2) credential forwarding to You.com APIs (YDC_API_KEY) which is necessary but sensitive; and (3) potential accidental leakage via logs or tests that call real APIs. The documentation acknowledges many of these risks and prescribes mitigations (system prompt, allowlists, avoid logging raw results), which reduces concern but does not eliminate it. Recommended actions: enforce allowlists/URL validation for youContents, ensure system prompt is always present when tools are used, avoid logging raw tool results, and ensure CI/test harnesses never run integration tests with real API keys unless explicitly intended. Overall, this skill should be treated as functionality-with-risk (not malware), with moderate security risk due to data-injection and credential-forwarding vectors.