openapi-review
Pass
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- Prompt Injection (LOW): The skill is susceptible to indirect prompt injection (Category 8). It processes untrusted data from OpenAPI specifications (YAML/JSON) which contain various natural language fields such as
descriptionandsummary. An attacker could embed malicious instructions in these fields to override the agent's behavior or bias the review results. - Ingestion points: OpenAPI spec files provided via direct content, file paths, or directory paths (SKILL.md).
- Boundary markers: None explicitly defined in the prompt to separate user-provided specification content from the system instructions.
- Capability inventory: File system reading (local filesystem access via agent capabilities).
- Sanitization: No evidence of sanitization, escaping, or filtering of input strings before they are processed by the LLM.
- Data Exposure (LOW): The skill allows the agent to read arbitrary file and directory paths provided by a user. This capability could be leveraged to access sensitive configuration files if they are in JSON or YAML format (e.g., .env files formatted as JSON or cloud credentials). The skill lacks explicit path validation or restriction to a specific project directory.
Audit Metadata