Is awlevin/openapi2cli safe?

https://github.com/openclaw/skills/tree/main/skills/awlevin/openapi2cli

87
SAFE

The openapi2cli skill contains only documentation (SKILL.md) and metadata (_meta.json) with no executable code, no prompt injection, no git hooks, no submodules, and no suspicious install scripts. Canary honeypot files were opened during monitoring but are confirmed intact (✅), with timing and process context indicating audit infrastructure rather than the skill. The primary security concerns are inherent to the skill's intended functionality: the agent is guided to run uvx openapi2cli generate against user-supplied URLs, which downloads a PyPI package and generates Python scripts that are then executed—creating a fetch-and-execute attack surface exploitable via indirect prompt injection or supply chain compromise of the openapi2cli PyPI package.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 87/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (8)

MEDIUM Canary credential files opened during monitoring window -10

inotify and auditd recorded OPEN+ACCESS events on all six honeypot credential files at two time points. Attribution is consistent with audit infrastructure (pre-clone baseline and post-install teardown), and no writes or network exfiltration were detected. Canary integrity confirmed ✅. However, the reads cannot be conclusively attributed to the audit system alone without process-level PID tracing correlating each open() call to a specific executable.

MEDIUM Skill enables fetch-and-execute of remote code via uvx -15

The skill's core workflow instructs agents to run uvx openapi2cli generate , which downloads the openapi2cli PyPI package and generates a Python script, which the agent then executes. An attacker with indirect prompt injection access (e.g., via a malicious OpenAPI spec embedded in a target website) could chain this into arbitrary code execution.

LOW PyPI supply chain risk from uvx openapi2cli -12

uvx fetches openapi2cli from PyPI at invocation time without version pinning. A compromised or typosquatted version of the package could execute malicious code in the agent's process context. The PyPI link in SKILL.md resolves to a real package, but future versions are not audited by this scan.

LOW Generated CLI scripts are user-controlled code executed by agent -8

The output of uvx openapi2cli generate is a Python script the agent is instructed to execute directly. The content of this script is determined by the OpenAPI spec URL. Attacker-controlled specs produce attacker-controlled executables.

LOW Hardcoded example URLs may bias agent toward specific fetch targets -7

SKILL.md contains a concrete example with a GitHub raw content URL for the GitHub REST API spec. Agents trained on this skill may default to fetching from this URL without explicit user direction.

LOW Runtime CLIs communicate with arbitrary API endpoints using auth credentials -5

Generated CLIs are designed to carry API keys and send them to arbitrary base URLs. If an agent is social-engineered into generating a CLI from a malicious spec, credentials passed via environment or flags could be forwarded to an attacker endpoint.

INFO Skill author/homepage namespace mismatch -7

Published slug is awlevin/openapi2cli but the homepage field references github.com/Olafs-World/openapi2cli. Possible republication or fork without clear provenance disclosure.

INFO Ubuntu MOTD connection to 185.125.190.17:443 logged 0

An outbound TLS connection to 185.125.190.17 (Canonical/Ubuntu) was observed. This originates from /etc/update-motd.d/50-motd-news on SSH login, not from the skill.