openapi-parser
PassAudited by ClawScan on May 10, 2026.
Overview
This instruction-only skill appears to help generate Drift tests from OpenAPI specs as advertised, with normal caution needed before running generated API tests.
This looks safe to install as an instruction-only helper. Provide trusted OpenAPI specs, review any remote references before fetching them, and treat the generated Drift YAML as code-like test configuration that should be inspected and run only in an appropriate test environment.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user runs the generated Drift YAML against a real service, it may send invalid or unauthorized requests and, for create/update endpoints, may change test data.
The skill can generate runnable API test definitions that intentionally exercise error/auth paths. This is purpose-aligned for test generation, but those tests should be reviewed before execution.
For 401 tests, strip global auth with `exclude: [auth]` and pass an invalid bearer token explicitly
Review generated operations before running them, and run them against a staging or test environment with intended credentials.
A malicious or mistaken spec could point the agent at unexpected local files in the spec directory or external URLs.
Resolving OpenAPI references may involve reading nearby local files or fetching URLs named in the spec. That is expected for OpenAPI parsing, but remote refs can come from untrusted specs.
Local file refs: read the referenced file from the same directory - Remote refs: fetch the URL if needed
Use trusted specs, inspect external $ref URLs, and ask for confirmation before fetching remote references.