SchemGuard
PassAudited by ClawScan on May 1, 2026.
Overview
SchemGuard appears purpose-aligned for OpenAPI diffing and linting, with the main caution that it runs an external unpinned npm package and can optionally expose MCP tools.
This skill is reasonable for checking OpenAPI compatibility. Before installing or using it in CI, verify the npm package identity and consider pinning a trusted version. If you enable the MCP server, do so only in repositories where the agent is allowed to inspect the relevant API specifications.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You may be running code fetched from npm, so package identity and version matter.
The documented workflow executes an external npm package through npx, and the artifact does not pin a version or provide reviewed package contents. This is expected for the skill's purpose but creates a provenance/version verification point.
npx @sethclawd/schemaguard diff old.yaml new.yaml
Verify the npm package publisher and consider pinning or reviewing a specific version before using it in sensitive repositories or CI.
If enabled, the connected agent may process OpenAPI specs that could contain internal endpoint, schema, or security-scheme details.
The skill can expose its functionality through an MCP server for direct tool integration. This is purpose-aligned, but it means a connected agent could call these tools on API spec files made available to it.
npx @sethclawd/schemaguard --mcp Exposes: `schemaguard_diff`, `schemaguard_lint`, `schemaguard_check`
Enable the MCP server only in trusted workspaces and provide only the intended OpenAPI spec files.