oas-api-spec-generator
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTIONNO_CODE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches API documentation and OpenAPI specifications from a wide range of trusted organizations and well-known services, including OpenAI, Microsoft, Google, AWS, Stripe, and GitHub. These references are used as authoritative sources for spec generation and are documented neutrally.
- [PROMPT_INJECTION]: The skill ingests untrusted data from external documentation sites, which constitutes an indirect prompt injection surface. This is a standard risk for any skill performing web-fetching and data extraction tasks.
- Ingestion points: Uses WebFetch to pull content from provider documentation URLs and GitHub-hosted spec files.
- Boundary markers: No explicit delimiters are specified to isolate fetched documentation from the rest of the agent's context.
- Capability inventory: The skill's primary capability is writing generated YAML files to the local file system.
- Sanitization: The skill relies on the agent's natural language processing to extract data without explicit sanitization steps for the input content.
- [NO_CODE]: The skill is entirely instruction-based and does not contain any executable scripts, binary files, or code dependencies, significantly reducing the direct attack surface.
Audit Metadata