stale-detector

SUSPICIOUS. The skill's capabilities are mostly proportional to a Yuque stale-document audit, and it does not contain deceptive actions, exploit logic, or obvious exfiltration behavior. The main concern is trust: it relies on a third-party yuque-mcp server that receives the user's Yuque token, while the available package provenance is weak and not verifiably tied to Yuque or a clearly established publisher. This is better classified as a supply-chain and credential-forwarding risk than confirmed malware.