openapi-tool-scaffold
Pass
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The
scripts/openapi-to-mcp.pyscript downloads OpenAPI definitions from remote URLs usingurllib.request.urlopenbased on user input.\n- [COMMAND_EXECUTION]: The skill instructions involve executing a CLI generator and the resulting Python scripts, which possess network and file access capabilities.\n- [PROMPT_INJECTION]: The skill represents an indirect prompt injection surface due to its ingestion of untrusted external OpenAPI specifications.\n - Ingestion points: Untrusted data enters the context via specification files loaded from URLs or local paths by
scripts/openapi-to-mcp.py.\n - Boundary markers: No explicit markers or instructions are provided to the agent to ignore potentially malicious instructions within the specification metadata.\n
- Capability inventory: The generator script performs network operations and file writing. The generated output servers perform network requests and access sensitive environment variables.\n
- Sanitization: The generator employs
repr()andpprint.pformat()to escape data before inserting it into the Python template, preventing direct syntax injection into the generated script.\n- [DATA_EXFILTRATION]: The generated code retrieves credentials from environment variables and transmits them to the base URL defined in the source specification, which could lead to exfiltration if the specification is malicious.
Audit Metadata