daily-capture

Likely benign in purpose and scope: the skill's read/write access to Yuque matches note capture and organization. The main concern is trust in the third-party yuque-mcp dependency, which handles a personal Yuque token but is not verifiably official to Yuque and has weak package provenance. This is better classified as suspicious supply-chain/credential-forwarding risk than malware.