meeting-notes

SUSPICIOUS. The skill’s behavior matches its stated purpose, but it depends on an unofficial third-party yuque-mcp bridge that receives a group Token and mediates document creation. Data flows to the official Yuque API are plausible, yet the unverified bridge provenance and credential-forwarding design make this a medium-high security risk rather than benign.