yapi
Facilitates test-driven API development with CLI-first testing for HTTP, GraphQL, gRPC, and TCP protocols.
Install this skill
Security score
The yapi skill was audited on Feb 9, 2026 and we found 39 security issues across 4 threat categories, including 3 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 22 | ```yaml |
Template literal with variable interpolation in command context
| 45 | Now your tests use `${url}` and `${API_KEY}` - same test, any environment: |
Template literal with variable interpolation in command context
| 68 | ```yaml |
Template literal with variable interpolation in command context
| 78 | ```yaml |
Template literal with variable interpolation in command context
| 91 | ```yaml |
Template literal with variable interpolation in command context
| 105 | ```yaml |
Template literal with variable interpolation in command context
| 122 | ```yaml |
Template literal with variable interpolation in command context
| 149 | ```yaml |
Template literal with variable interpolation in command context
| 222 | ```yaml |
Template literal with variable interpolation in command context
| 246 | ```yaml |
Template literal with variable interpolation in command context
| 291 | ```yaml |
Template literal with variable interpolation in command context
| 311 | ```yaml |
Template literal with variable interpolation in command context
| 329 | ```yaml |
Template literal with variable interpolation in command context
| 367 | ```yaml |
Template literal with variable interpolation in command context
| 520 | ```yaml |
Template literal with variable interpolation in command context
| 537 | ```yaml |
Template literal with variable interpolation in command context
| 555 | ```yaml |
Template literal with variable interpolation in command context
| 569 | ```yaml |
Template literal with variable interpolation in command context
| 590 | ```yaml |
Template literal with variable interpolation in command context
| 608 | ```yaml |
Template literal with variable interpolation in command context
| 655 | - **Reference previous steps**: Use `${step_name.field}` to pass data between chain steps |
Piping content to bash shell
| 260 | run: curl -fsSL https://yapi.run/install/linux.sh | bash |
Curl to non-GitHub URL
| 260 | run: curl -fsSL https://yapi.run/install/linux.sh | bash |
Webhook reference - potential data exfiltration
| 363 | ### Webhook/Callback Waiting |
Webhook reference - potential data exfiltration
| 365 | Wait for a webhook to be received: |
Webhook reference - potential data exfiltration
| 378 | - name: wait_for_webhook |
Webhook reference - potential data exfiltration
| 379 | url: ${url}/webhooks/received |
Access to .env file
| 42 | - .env.prod # load secrets from file |
Access to .env file
| 630 | .env # local secrets (gitignored) |
Access to .env file
| 631 | .env.example # template for secrets |
External URL reference
| 28 | url: http://localhost:3000 |
External URL reference
| 33 | url: https://staging.example.com |
External URL reference
| 38 | url: https://api.example.com |
External URL reference
| 260 | run: curl -fsSL https://yapi.run/install/linux.sh | bash |
External URL reference
| 401 | - "http://localhost:3000/healthz" |
External URL reference
| 409 | url: http://localhost:3000 |
External URL reference
| 422 | yapi test --start "npm start" --wait-on "http://localhost:4000/health" |
External URL reference
| 432 | | HTTP/HTTPS | `http://localhost:3000/healthz` | Poll until 2xx response | |
External URL reference
| 450 | wait-on: http://localhost:3000/healthz |
Install this skill with one command
/learn @jamierpond/yapi