tech-design

SUSPICIOUS. The capability fits the stated purpose, and the requested Yuque group token is plausible for saving docs to team repos. The main issue is install/execution trust: the skill depends on a not-clearly-official yuque-mcp server from personal publishers, which becomes a high-value credential and data handling intermediary. This is not confirmed malicious, but the third-party MCP trust boundary and credential forwarding make it medium-to-high risk.