CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/api

Find and call Tessl API endpoints token-efficiently. Fires whenever an agent needs a Tessl REST API endpoint — to discover which endpoint does something, learn its path/parameters/request-body/response shape, or actually call it via `tessl api`. Searches and renders just the one endpoint you need instead of loading the whole openapi.json into context.

87

1.91x
Quality

94%

Does it follow best practices?

Impact

94%

1.91x

Average score across 2 eval scenarios

SecuritybySnyk

Advisory

Suggest reviewing before use

Overview
Quality
Evals
Security
Files

Security

2 findings — 2 medium severity. This skill can be installed but you should review these findings before use.

Medium

W011: Third-party content exposure detected (indirect prompt injection risk)

What this means

The skill exposes the agent to untrusted, user-generated content from public third-party sources, creating a risk of indirect prompt injection. This includes browsing arbitrary URLs, reading social media posts or forum comments, and analyzing content from unknown websites.

Why it was flagged

Third-party content exposure detected (high risk: 0.85). The skill fetches and parses the public OpenAPI JSON from `https://api.tessl.io/openapi.json` at runtime (`fetch_spec_from_network()` → `json.loads()`), then renders endpoint descriptions/fields into LLM-readable text during `search`/`show`, so outsider-authored free text from a public web source can enter the agent context.

Report incorrect finding
Medium

W012: Unverifiable external dependency detected (runtime URL that controls agent)

What this means

The skill fetches instructions or code from an external URL at runtime, and the fetched content directly controls the agent’s prompts or executes code. This dynamic dependency allows the external source to modify the agent’s behavior without any changes to the skill itself.

Why it was flagged

Potentially malicious external URL detected (high risk: 0.90). The script fetches the OpenAPI spec at runtime from https://api.tessl.io/openapi.json and uses that fetched content to generate endpoint descriptions and ready-to-run invocation lines (i.e., agent-facing instructions), making the remote URL a required runtime dependency that directly controls agent prompts.

Audited
Security analysis
Snyk