weekly-report

SUSPICIOUS: The skill’s purpose and capabilities are mostly coherent, and the data flow matches Yuque reporting. The main concern is trust in the third-party yuque-mcp dependency: registry-hosted but weakly attributable, with credentials forwarded through MCP server code. This is not confirmed malicious, but it carries medium risk due to external dependency provenance and token handling.