Skills
skills/speakeasy-api/skills/orchestrate-multi-target-sdks/Gen Agent Trust Hub

orchestrate-multi-target-sdks

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION] (SAFE): The skill utilizes the speakeasy CLI tool to perform its primary function of SDK orchestration. The commands (quickstart, configure, run) are used correctly within the context of the documented workflow.
  • [EXTERNAL_DOWNLOADS] (SAFE): The skill includes examples of configuring sources from external URLs (e.g., https://api.example.com/openapi.yaml). This is a standard and expected feature for generating code from remote OpenAPI specifications.
  • [DATA_EXPOSURE] (SAFE): The GitHub Action example appropriately uses secret references (secrets.GITHUB_TOKEN, secrets.SPEAKEASY_API_KEY) rather than hardcoding sensitive credentials. There is no evidence of unauthorized file access or data exfiltration.
  • [INDIRECT_PROMPT_INJECTION] (LOW): The skill defines a surface for ingesting untrusted data via external OpenAPI sources.
  • Ingestion points: speakeasy configure sources --location [URL/FILE] in SKILL.md.
  • Boundary markers: Absent; the CLI treats the input as a structured API specification.
  • Capability inventory: speakeasy run executes generation, which involves file writes to the local filesystem.
  • Sanitization: Relies on the Speakeasy CLI's internal validation of the OpenAPI document schema.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 06:09 PM