Swagger V2 Retrofit Generator
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears to do what it claims—fetch Swagger v2 docs and generate Kotlin Retrofit code—but users should handle API credentials and output paths carefully.
This looks like a normal Swagger-to-Retrofit generator. Before installing or using it, verify the Swagger URL, avoid putting secrets in command history where possible, prefer header-based credentials over query-string API keys, and review generated Kotlin files before adding them to your project.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you provide a username/password, bearer token, or API key, the skill will send it to the Swagger URL you specify.
The skill explicitly supports using service credentials to retrieve protected API documentation, which is purpose-aligned but sensitive.
Supports fetching Swagger docs via HTTP with no auth, Basic Auth, Bearer Token, and API Key auth.
Only use credentials for trusted API documentation endpoints, prefer least-privilege/read-only credentials, and avoid pasting production secrets unless necessary.
API keys placed in URLs may be exposed in shell history, proxy logs, server logs, or other URL-recording systems.
When configured with API-key-in-query mode, the script places the API key in the request URL query string.
query.append((api_key_name, api_key))
Prefer header-based API-key or bearer-token authentication when possible, and rotate any key that may have been exposed in logs.
The skill will make an outbound HTTP request to the Swagger documentation URL you provide.
The script fetches data from a user-provided URL, which is central to the skill's stated purpose.
with urllib.request.urlopen(request, timeout=30) as response:
Check that the URL is the intended API documentation endpoint before using the fetch command, especially when credentials are included.
Generated or fetched output may overwrite the file path you specify.
The script can write fetched Swagger JSON to a user-specified output file, which is expected but can overwrite files if the user chooses an existing path.
with open(args.output, 'w', encoding='utf-8') as f:
Use a deliberate output path and review generated Kotlin code before committing or building it into an app.