swagger-gen

This package's declared functionality (LLM-assisted OpenAPI generation from Express routes) is plausible and useful, but it carries moderate supply-chain and data-exfiltration risk. The primary risks are: (1) accidental leakage of proprietary code or embedded secrets because the tool parses handler code and requires an OpenAI API key, and (2) execution-of-remote-code risk when using npx. The README's contradictory statements about API keys and absence of privacy/retention details are red flags. Recommended actions before use: review package source locally, avoid running with sensitive repositories, use temporary API keys with minimal privileges, and request/verify a documented privacy/retention policy from the maintainers.