api-contract-validator
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes various command-line utilities via
npxto perform API validation and compatibility checks. Evidence includes calls to@apidevtools/swagger-cli,oasdiff, andopenapi-typescriptfor generating types and detecting breaking changes. The vendor-specific tool@j0kz/api-contract-validatoris also utilized for core validation tasks.\n- [EXTERNAL_DOWNLOADS]: The skill references and installs several packages from the NPM registry. These include@pact-foundation/pactfor contract testing and@apidevtools/swagger-clifor schema validation. These dependencies are from well-known technology organizations or the verified vendor 'j0kz'.\n- [PROMPT_INJECTION]: The skill processes external data in the form of OpenAPI specifications and contract files, creating a surface for indirect prompt injection.\n - Ingestion points: The skill reads and processes user-provided files such as
api-spec.ymland other YAML/JSON API definitions.\n - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the provided examples.\n
- Capability inventory: The skill can execute subprocesses via CLI tools that parse the content of these external files.\n
- Sanitization: The skill relies on the internal parsing and validation logic of the external CLI tools to handle malformed or malicious inputs.
Audit Metadata