Skills
skills/specmatic/skills/specmatic-openapi-spec-extractor/Gen Agent Trust Hub

specmatic-openapi-spec-extractor

Fail

Audited by Gen Agent Trust Hub on May 5, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
  • [PRIVILEGE_ESCALATION]: The skill instructions direct the agent to attempt privilege escalation (e.g., using sudo or equivalent mechanisms) if Docker commands fail due to permission issues, which poses a significant security risk in local environments.
  • [COMMAND_EXECUTION]: The skill requires the agent to start the local application (SUT) on the host machine using framework-native commands (e.g., dotnet run, uvicorn, npm start, php artisan). This grants the agent the capability to execute arbitrary code within the context of the user's host environment.
  • [REMOTE_CODE_EXECUTION]: The generated test runner scripts (run_contract_tests.sh and run_contract_tests.ps1) utilize eval and Invoke-Expression to execute commands defined in the PRE_TEST_SETUP_CMD environment variable. This pattern is vulnerable to command injection if the variable contains untrusted input.
  • [EXTERNAL_DOWNLOADS]: The skill pulls the specmatic/enterprise:latest Docker image and installs multiple framework-specific libraries and CLI tools (e.g., drf-spectacular, scramble, rswag, swagger-jsdoc, ajv-cli). While these are standard development tools, they represent external code being integrated into the project.
  • [DATA_EXPOSURE]: The skill mounts the user's home .specmatic directory into the Docker container. This directory is intended for Specmatic license management but could potentially expose other sensitive configuration files or tokens to the containerized environment.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted project source code (routes, controllers, and metadata) to derive API contracts. Maliciously crafted source code could influence the agent's behavior during the contract refinement or testing phases.
  • Ingestion points: Application source code (controllers, routes, annotations, and configuration files).
  • Boundary markers: None identified in the provided instructions.
  • Capability inventory: Subprocess execution (dotnet, npm, docker), file system writes, and local network operations.
  • Sanitization: No sanitization of the extracted content is performed before it is used in the automated feedback loop.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 5, 2026, 01:25 PM