Find and call Tessl API endpoints token-efficiently. Fires whenever an agent needs a Tessl REST API endpoint — to discover which endpoint does something, learn its path/parameters/request-body/response shape, or actually call it via `tessl api`. Searches and renders just the one endpoint you need instead of loading the whole openapi.json into context.
87
94%
Does it follow best practices?
Impact
94%
1.91xAverage score across 2 eval scenarios
Advisory
Suggest reviewing before use
Security
2 findings — 2 medium severity. This skill can be installed but you should review these findings before use.
The skill exposes the agent to untrusted, user-generated content from public third-party sources, creating a risk of indirect prompt injection. This includes browsing arbitrary URLs, reading social media posts or forum comments, and analyzing content from unknown websites.
Third-party content exposure detected (high risk: 0.85). The skill fetches and parses the public OpenAPI JSON from `https://api.tessl.io/openapi.json` at runtime (`fetch_spec_from_network()` → `json.loads()`), then renders endpoint descriptions/fields into LLM-readable text during `search`/`show`, so outsider-authored free text from a public web source can enter the agent context.
The skill fetches instructions or code from an external URL at runtime, and the fetched content directly controls the agent’s prompts or executes code. This dynamic dependency allows the external source to modify the agent’s behavior without any changes to the skill itself.
Potentially malicious external URL detected (high risk: 0.90). The script fetches the OpenAPI spec at runtime from https://api.tessl.io/openapi.json and uses that fetched content to generate endpoint descriptions and ready-to-run invocation lines (i.e., agent-facing instructions), making the remote URL a required runtime dependency that directly controls agent prompts.