Yagi is currently a non-custodial protocol, however, keepers do require permissionless access to the task interface on a contract. Therefore, it is up to the task author to only use Yagi for non-exploitable actions such as rebalancing, harvesting, filling limit orders, etc.