ydc-crewai-mcp-integration

This skill is a legitimate integration recipe for connecting crewAI agents to You.com MCP tools. The core functionality (runtime MCP discovery, tool invocation, schema patching) aligns with the stated purpose. The main security concerns arise from operational practices: integration tests that require live API calls and the need to trust a runtime external MCP endpoint. These create increased risk of credential exposure, nondeterministic tests, and prompt-injection from raw web content returned by you-contents. There is no direct evidence of malware or covert exfiltration endpoints in the provided content, but runtime trust in a third-party server and the required live-testing approach justify treating this skill as medium risk. Operators should: (1) avoid running live integration tests in untrusted CI without secure secrets handling, (2) enforce input validation and strict trust boundaries before feeding you-contents results into agent actions, (3) pin dependency versions, and (4) restrict test runs to environments that safely store YDC_API_KEY.