openapi-tool-scaffold

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The generator explicitly fetches OpenAPI documents from arbitrary HTTP(S) URLs (scripts/openapi-to-mcp.py → load_text uses urllib.request.urlopen) and the SKILL.md/examples show using public specs like https://petstore3.swagger.io/api/v3/openapi.json, and those untrusted, user-hosted OpenAPI specs are parsed and used to auto-generate tools/runtime behavior (TOOL_RUNTIME, security schemes, endpoints) that directly determine tool creation and subsequent actions, so third-party content can materially alter agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The generator (scripts/openapi-to-mcp.py) fetches arbitrary OpenAPI specs at runtime (e.g., https://petstore3.swagger.io/api/v3/openapi.json) and uses that fetched document to generate MCP server code and tool definitions which directly control the agent's exposed tools/behavior.