← Back to Skills Marketplace
charlie-morrison

API Contract Tester

by charlie-morrison · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
29
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install api-contract-tester
Description
Validate API contracts between services using consumer-driven contract testing. Generate and verify Pact contracts, OpenAPI compliance tests, and schema comp...
README (SKILL.md)

API Contract Tester

Validate that APIs honor their contracts. Generate consumer-driven contracts (Pact-style), verify OpenAPI spec compliance, test backward compatibility, and catch breaking changes before they reach production.

Use when: "test API contract", "check backward compatibility", "will this API change break consumers", "generate pact tests", "validate against OpenAPI spec", "contract testing", or before deploying API changes.

Commands

1. generate — Create Contract Tests from OpenAPI Spec

Step 1: Find OpenAPI/Swagger Specs

# Look for OpenAPI specs
find . -maxdepth 4 -name "*.yaml" -o -name "*.yml" -o -name "*.json" | \
  xargs grep -l '"openapi"\|"swagger"\|openapi:' 2>/dev/null

Step 2: Parse and Generate Tests

Read each endpoint from the spec. For every path + method combination, generate:

  1. Happy path test — valid request, verify response schema matches spec
  2. Required fields test — omit each required field, expect 400/422
  3. Type validation test — send wrong types, expect rejection
  4. Auth test — if security scheme defined, test without credentials → 401

Output format (Python/pytest):

import requests
import pytest

BASE_URL = "${BASE_URL}"

class TestContractUserEndpoint:
    """Contract tests for GET /api/users/{id}"""

    def test_happy_path(self):
        resp = requests.get(f"{BASE_URL}/api/users/1")
        assert resp.status_code == 200
        data = resp.json()
        # Verify response matches schema
        assert "id" in data
        assert isinstance(data["id"], int)
        assert "email" in data
        assert isinstance(data["email"], str)

    def test_not_found(self):
        resp = requests.get(f"{BASE_URL}/api/users/999999999")
        assert resp.status_code == 404

    def test_invalid_id_type(self):
        resp = requests.get(f"{BASE_URL}/api/users/not-a-number")
        assert resp.status_code in (400, 404, 422)

2. verify — Check API Against Existing Contracts

Step 1: Find Contract Files

# Look for Pact contracts, OpenAPI specs, or test fixtures
find . -maxdepth 4 \( -name "*.pact.json" -o -name "pacts" -type d -o -name "contract*.json" \) 2>/dev/null

Step 2: Verify Each Contract

For Pact contracts:

# If pact-verifier is installed
pact-verifier --provider-base-url=$PROVIDER_URL \
  --pact-url=./pacts/consumer-provider.json 2>&1

For OpenAPI specs, validate response schemas:

# Use openapi-spec-validator if available
pip install openapi-spec-validator 2>/dev/null
python3 -c "
from openapi_spec_validator import validate
validate({'openapi': '3.0.0', ...})  # parsed spec
print('Spec is valid')
"

If no tooling installed, manually validate by:

  1. Reading the spec
  2. Making requests to each endpoint
  3. Comparing response structure to declared schema
  4. Reporting mismatches

3. breaking-changes — Detect Breaking API Changes

Compare two versions of an OpenAPI spec and identify breaking vs. non-breaking changes.

Step 1: Get Both Versions

# Current version
cat api/openapi.yaml

# Previous version (from git)
git show HEAD~1:api/openapi.yaml > /tmp/old-spec.yaml 2>/dev/null || \
git show main:api/openapi.yaml > /tmp/old-spec.yaml

Step 2: Classify Changes

Breaking changes (MUST flag):

  • Removed endpoint (path+method gone)
  • Removed or renamed response field
  • Changed field type (string → integer)
  • New required request parameter
  • Changed response status code for same operation
  • Removed enum value
  • Tightened validation (shorter maxLength, new pattern)

Non-breaking changes (informational):

  • New optional field in response
  • New optional query parameter
  • New endpoint added
  • Added enum value
  • Loosened validation
  • New response status code (additional error case)

Step 3: Report

# API Breaking Change Report

## Breaking Changes (3 found)
1. `DELETE /api/users/{id}` — endpoint removed
   Impact: Any consumer calling this endpoint will get 404
   Migration: Use `PATCH /api/users/{id}` with `{active: false}` instead

2. `GET /api/orders` — response field `total_price` renamed to `amount`
   Impact: All consumers parsing `total_price` will break
   Migration: Add `total_price` as alias for one version cycle

3. `POST /api/orders` — new required field `currency`
   Impact: Existing requests without `currency` will fail validation
   Migration: Default to "USD" if not provided (temporary)

## Non-Breaking Changes (2 found)
- `GET /api/users` — new optional `?role=` filter parameter
- `GET /api/orders/{id}` — new `tracking_url` field in response

## Recommendation
3 breaking changes detected. Bump major version (v2 → v3) or add versioned endpoint prefix.

4. compatibility-matrix — Map Consumer Dependencies

Analyze which consumers depend on which API endpoints and fields:

# Search consumer codebases for API calls
rg -r '$1' 'fetch\(["\x27]([^"]+)["\x27]' --type js --type ts 2>/dev/null
rg -r '$1' 'requests\.(get|post|put|delete)\(["\x27]([^"]+)' --type py 2>/dev/null
rg -r '$1' 'axios\.(get|post|put|delete)\(["\x27]([^"]+)' --type js --type ts 2>/dev/null

Produce a matrix:

Endpoint          | consumer-web | consumer-mobile | consumer-worker
GET /api/users    |     ✓        |       ✓         |
POST /api/orders  |     ✓        |       ✓         |       ✓
DELETE /api/users  |              |                 |

Flag endpoints with zero consumers as deprecation candidates.

Usage Guidance
This skill's behavior is plausible for API contract testing, but the registry entries omit key runtime requirements. Before installing or running it: (1) require the publisher to declare needed binaries (git, python3, pip, pact-verifier, rg) and env vars (BASE_URL, PROVIDER_URL) so you can audit them; (2) run the skill in an isolated environment or container/CI job to avoid exposing repository secrets and to contain any runtime pip installs; (3) verify any on-demand installs (pip) are from trusted packages and consider pre-installing vetted tooling; (4) ensure the workspace doesn't contain sensitive tokens the skill could read; and (5) ask the publisher for a homepage or source repository so you can review the exact commands and sample outputs. These steps will reduce risk and clarify whether the missing metadata was an oversight or a red flag.
Capability Analysis
Type: OpenClaw Skill Name: api-contract-tester Version: 1.0.0 The api-contract-tester skill is designed for validating API contracts and detecting breaking changes using standard tools like find, grep, ripgrep, and git. It generates legitimate Python test code and uses well-known libraries such as openapi-spec-validator and pact-verifier, with all actions clearly aligned with its stated purpose of API maintenance and testing.
Capability Assessment
Purpose & Capability
The SKILL.md expects tools and data typical for contract testing (git, python3, pip, pact-verifier, requests/pytest, ripgrep/rg, and environment variables like BASE_URL and PROVIDER_URL), but the registry metadata declares no required binaries or env vars. That discrepancy is incoherent: someone building this skill would reasonably need to declare those runtime dependencies and primary credentials/endpoints.
Instruction Scope
Runtime instructions tell the agent to search the repository (find, rg), read files (OpenAPI specs, pacts, git history), make network requests against provider endpoints, and optionally pip install validator packages. These actions are within the stated purpose but are broad — they enable reading arbitrary repo files and making outbound requests, which can surface secrets or transmit data if the working directory contains sensitive information. Also several variables (BASE_URL, PROVIDER_URL) are referenced but not declared.
Install Mechanism
There is no install spec (instruction-only), so nothing will be written by a package installer up-front. However, the instructions include runtime operations that install packages (pip install openapi-spec-validator) and expect external tooling (pact-verifier). Relying on on-demand pip installs is less safe than declaring and vetting an install step and means arbitrary code can be pulled during execution.
Credentials
The skill declares no required env vars, yet the instructions reference BASE_URL and PROVIDER_URL and implicitly expect potentially sensitive auth info when testing secured endpoints. It also directs searching consumer codebases for call sites, which could expose tokens/credentials embedded in code. The lack of declared env vars and credential guidance is a mismatch and increases risk.
Persistence & Privilege
The skill is not always-enabled and does not request persistent modifications to agent configuration or other skills. It writes temporary files (e.g., /tmp/old-spec.yaml) and may install packages at runtime, but it does not request elevated platform privileges in the metadata.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install api-contract-tester
  3. After installation, invoke the skill by name or use /api-contract-tester
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of API Contract Tester — Automated contract, compatibility, and breaking change checks for APIs. - Generate and verify consumer-driven contract tests from OpenAPI specs or Pact contracts. - Automatically check API endpoints for backward compatibility and breaking changes. - Validate API implementations against OpenAPI and Pact contracts. - Produce compatibility matrices to map API usage by each consumer. - Includes CLI-ready commands and sample test output for quick adoption.
Metadata
Slug api-contract-tester
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is API Contract Tester?

Validate API contracts between services using consumer-driven contract testing. Generate and verify Pact contracts, OpenAPI compliance tests, and schema comp... It is an AI Agent Skill for Claude Code / OpenClaw, with 29 downloads so far.

How do I install API Contract Tester?

Run "/install api-contract-tester" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is API Contract Tester free?

Yes, API Contract Tester is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does API Contract Tester support?

API Contract Tester is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created API Contract Tester?

It is built and maintained by charlie-morrison (@charlie-morrison); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments