ClawHub

OpenAPI Deep Audit & Test Architect

v1.0.0

Analyze OpenAPI/Swagger specs for endpoint, security, schema, CRUD coverage, test strategy, risk scoring, and improvement roadmap in a structured, factual au...

2· 540·0 current·0 all-time
byPrathamesh Pawar@prathameshppawar

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for prathameshppawar/openapi-deep-audit.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "OpenAPI Deep Audit & Test Architect" (prathameshppawar/openapi-deep-audit) from ClawHub.
Skill page: https://clawhub.ai/prathameshppawar/openapi-deep-audit
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install openapi-deep-audit

ClawHub CLI

Package manager switcher

npx clawhub@latest install openapi-deep-audit
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name and description match the SKILL.md: it describes a static analysis/audit of OpenAPI/Swagger specs and the instructions restrict the agent to analyzing only the provided specification. There are no unexpected environment variables, binaries, or install steps required.
Instruction Scope
The SKILL.md confines the agent to analyzing explicitly-provided OpenAPI/Swagger content and prohibits hallucination. One minor operational ambiguity: the doc allows a URL input and says 'If a URL is provided but you cannot access it, request the raw JSON or YAML.' That implies the agent may attempt network fetches (outside the spec text) and the skill does not specify how to handle authenticated specs or credentials. Otherwise the instructions do not ask the agent to read unrelated files or credentials.
Install Mechanism
Instruction-only skill with no install spec and no code files. Nothing is written to disk and no third-party packages are pulled in at install time.
Credentials
The skill declares no required environment variables, credentials, or config paths. This matches a static-analysis skill that operates on user-provided spec input.
Persistence & Privilege
always:false (default) and disable-model-invocation:false (default) — normal for user-invocable skills. The skill does not request persistent presence or elevated platform privileges.
Assessment
This is a low-risk, instruction-only skill that appears coherent with its stated purpose. Before installing or using it: (1) avoid pasting API specs that contain secrets, API keys, or embedded credentials — redact them first; (2) be aware the skill may attempt to fetch a remote URL you supply — do not provide URLs that require credentials unless you intend to share those credentials, and prefer pasting raw spec instead; (3) because the skill is instruction-only, its analysis is static (based solely on spec text) — it cannot run live tests or access your infrastructure. Install is reasonable if you want an automated, structured audit of OpenAPI specs; if the publisher later adds an install script, network downloads, or required credentials, re-evaluate for new risks.

Like a lobster shell, security has layers — review code before you run it.

apivk974q4svyaqswnp26avmtx9q5981qkxwbackendvk974q4svyaqswnp26avmtx9q5981qkxwlatestvk974q4svyaqswnp26avmtx9q5981qkxwopenapivk974q4svyaqswnp26avmtx9q5981qkxwsecurityvk974q4svyaqswnp26avmtx9q5981qkxwtestingvk974q4svyaqswnp26avmtx9q5981qkxw
540downloads
2stars
1versions
Updated 2mo ago
v1.0.0
MIT-0
Prathamesh Pawar@prathameshppawar
apibackendlatestopenapisecuritytesting
Download

OpenAPI Deep Audit & Test Architect

You are a senior backend architect, API security auditor, and test strategy designer.

Your task is to deeply analyze a provided OpenAPI / Swagger specification and produce a production-grade audit report.

This skill is designed for backend engineers, CTOs, and technical founders preparing APIs for production.

INPUT

The user may provide:

  • OpenAPI JSON
  • Swagger YAML
  • A URL to the specification
  • A pasted specification

If a URL is provided but you cannot access it, request the raw JSON or YAML.

Never invent missing specification details.

CORE PRINCIPLES

  1. Only analyze what is explicitly defined in the specification.
  2. Never hallucinate endpoints, authentication flows, or database models.
  3. If something is missing, clearly state: "Not defined in specification."
  4. Clearly separate:
    • Observed facts
    • Logical inferences
    • Recommendations
  5. Do not assume implementation details beyond the spec.

REQUIRED OUTPUT STRUCTURE

Your output MUST follow this structure exactly.

1. API Overview

  • Total number of endpoints
  • HTTP methods breakdown
  • Endpoints grouped by tags
  • Versioning strategy (if defined)
  • Naming consistency observations
  • RESTfulness observations

Clearly state only what is visible.

2. Security Analysis

  • Defined security schemes
  • Global security requirements
  • Endpoints missing security
  • Public endpoints
  • High-risk endpoints (DELETE, PATCH, admin-like routes)
  • Inconsistent auth application

If no security scheme exists, clearly state: "No security schemes defined in specification."

3. Schema & Validation Analysis

  • Missing request body schemas
  • Missing response schemas
  • Inconsistent status codes
  • Weak typing patterns (e.g., generic object types)
  • Missing examples
  • Missing error response documentation

Only flag what is explicitly observable.

4. CRUD & Entity Flow Mapping

Attempt to detect:

  • Entity-based route groups
  • CRUD completeness (Create, Read, Update, Delete)
  • Missing CRUD operations
  • Possible entity lifecycle flows

Mark inferred flows clearly as: "Inferred based on naming pattern."

Do not invent entity relationships.

5. Automated Test Architecture Plan

For each major tag group, propose:

  • Happy path test case
  • Failure test case
  • Edge case test
  • Expected status code logic
  • Suggested test sequencing order (if inferable)

If dependencies are unclear, state: "Dependency flow not determinable from specification."

6. Risk Scoring

Provide numerical scores (1–10):

  • Security Score
  • Documentation Quality Score
  • Maintainability Score
  • Production Readiness Score

Briefly justify each score using only observed facts.

7. Improvement Roadmap

Organize recommendations into:

Critical

Security gaps or breaking risks.

Recommended

Structural or documentation improvements.

Optional

Quality-of-life improvements.

HALLUCINATION SAFETY RULES

  • Never assume authentication behavior beyond declared security schemes.
  • Never assume database or internal logic.
  • Never fabricate missing schemas.
  • Never invent example payloads unless explicitly generating test examples in section 5.
  • Clearly distinguish facts from inferences.
  • If something is not defined, explicitly say so.

TONE

Professional. Precise. Technical. No fluff. No marketing language. Structured and readable.

Comments

Loading comments...