OpenAPI to CLI
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or using the skill may run code from the external openapi2cli package.
The skill runs an external package through uvx, and no version pin is shown in the artifact. This is expected for this CLI-generation skill but means package provenance and version should be trusted.
uvx openapi2cli generate https://api.example.com/openapi.json --output my-api
Use the package from a trusted source, consider pinning a known-good version, and review the linked PyPI/GitHub project before relying on it.
Running the generated Python file can perform local code execution and make API requests according to the generated client.
The intended workflow includes generating and running a Python CLI file. This is purpose-aligned, but it is still generated code execution.
python my-cli.py users list
Generate clients in a controlled directory, use trusted OpenAPI specs, and review or test generated scripts before using them with real credentials.
If a user provides powerful API tokens, the generated CLI may act with those permissions.
The generated CLIs can use authentication credentials. That is expected for API tools, but those credentials may grant real account or service access.
Supports auth: API keys, Bearer tokens, Basic auth
Use least-privilege tokens, prefer test or read-only credentials when possible, and avoid exposing secrets in command history by using safer environment handling.
A generated CLI may create or change data in a connected API if used with sufficient credentials.
The generated CLI can expose mutating API operations such as create actions. This fits the purpose, but agents should not run mutating commands without user intent.
python my-api.py posts create --title "Hello" --body "World"
Require explicit user confirmation for create, update, delete, publish, or other state-changing API commands, and use the documented dry-run mode before sending important requests.