openapi-pro
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill protocol requires the execution of shell and TypeScript scripts (e.g.,
scripts/generate-client.sh,scripts/validate-spec.ts) that are referenced but not provided in the source files. Executing unverified local scripts can lead to arbitrary code execution if an attacker places malicious files in the expected paths. - [EXTERNAL_DOWNLOADS] (LOW): The skill uses
bun xto download and execute tools likeopenapi-typescript,orval, andredoclyfrom the public npm registry. Per [TRUST-SCOPE-RULE], these are downgraded to LOW/INFO as npm is a standard registry, but the lack of version pinning remains a minor risk. - [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: Untrusted OpenAPI specifications (
openapi.yaml) and derived Zod schemas are ingested into the agent's context. - Boundary markers: None. There are no delimiters or system-level instructions to ignore embedded natural language commands within the specification's descriptions or metadata.
- Capability inventory: The skill possesses significant capabilities, including the ability to execute shell commands (
bun x,scripts/*.sh) and generate code that may be used in production environments. - Sanitization: None. There is no evidence of validation or sanitization of the OpenAPI content before it influences the agent's behavior or code generation process.
Recommendations
- AI detected serious security threats
Audit Metadata