功能描述

Validate API contracts between services using consumer-driven contract testing. Generate and verify Pact contracts, OpenAPI compliance tests, and schema comp...

使用说明 (SKILL.md)

API Contract Tester

Name: API Contract Tester
Author: charlie-morrison

Validate that APIs honor their contracts. Generate consumer-driven contracts (Pact-style), verify OpenAPI spec compliance, test backward compatibility, and catch breaking changes before they reach production.

Use when: "test API contract", "check backward compatibility", "will this API change break consumers", "generate pact tests", "validate against OpenAPI spec", "contract testing", or before deploying API changes.

Commands

1. `generate` — Create Contract Tests from OpenAPI Spec

Step 1: Find OpenAPI/Swagger Specs

# Look for OpenAPI specs
find . -maxdepth 4 -name "*.yaml" -o -name "*.yml" -o -name "*.json" | \
  xargs grep -l '"openapi"\|"swagger"\|openapi:' 2>/dev/null

Step 2: Parse and Generate Tests

Read each endpoint from the spec. For every path + method combination, generate:

Happy path test — valid request, verify response schema matches spec
Required fields test — omit each required field, expect 400/422
Type validation test — send wrong types, expect rejection
Auth test — if security scheme defined, test without credentials → 401

Output format (Python/pytest):

import requests
import pytest

BASE_URL = "${BASE_URL}"

class TestContractUserEndpoint:
    """Contract tests for GET /api/users/{id}"""

    def test_happy_path(self):
        resp = requests.get(f"{BASE_URL}/api/users/1")
        assert resp.status_code == 200
        data = resp.json()
        # Verify response matches schema
        assert "id" in data
        assert isinstance(data["id"], int)
        assert "email" in data
        assert isinstance(data["email"], str)

    def test_not_found(self):
        resp = requests.get(f"{BASE_URL}/api/users/999999999")
        assert resp.status_code == 404

    def test_invalid_id_type(self):
        resp = requests.get(f"{BASE_URL}/api/users/not-a-number")
        assert resp.status_code in (400, 404, 422)

2. `verify` — Check API Against Existing Contracts

Step 1: Find Contract Files

# Look for Pact contracts, OpenAPI specs, or test fixtures
find . -maxdepth 4 \( -name "*.pact.json" -o -name "pacts" -type d -o -name "contract*.json" \) 2>/dev/null

Step 2: Verify Each Contract

For Pact contracts:

# If pact-verifier is installed
pact-verifier --provider-base-url=$PROVIDER_URL \
  --pact-url=./pacts/consumer-provider.json 2>&1

For OpenAPI specs, validate response schemas:

# Use openapi-spec-validator if available
pip install openapi-spec-validator 2>/dev/null
python3 -c "
from openapi_spec_validator import validate
validate({'openapi': '3.0.0', ...})  # parsed spec
print('Spec is valid')
"

If no tooling installed, manually validate by:

Reading the spec
Making requests to each endpoint
Comparing response structure to declared schema
Reporting mismatches

3. `breaking-changes` — Detect Breaking API Changes

Compare two versions of an OpenAPI spec and identify breaking vs. non-breaking changes.

Step 1: Get Both Versions

# Current version
cat api/openapi.yaml

# Previous version (from git)
git show HEAD~1:api/openapi.yaml > /tmp/old-spec.yaml 2>/dev/null || \
git show main:api/openapi.yaml > /tmp/old-spec.yaml

Step 2: Classify Changes

Breaking changes (MUST flag):

Removed endpoint (path+method gone)
Removed or renamed response field
Changed field type (string → integer)
New required request parameter
Changed response status code for same operation
Removed enum value
Tightened validation (shorter maxLength, new pattern)

Non-breaking changes (informational):

New optional field in response
New optional query parameter
New endpoint added
Added enum value
Loosened validation
New response status code (additional error case)

Step 3: Report

# API Breaking Change Report

## Breaking Changes (3 found)
1. `DELETE /api/users/{id}` — endpoint removed
   Impact: Any consumer calling this endpoint will get 404
   Migration: Use `PATCH /api/users/{id}` with `{active: false}` instead

2. `GET /api/orders` — response field `total_price` renamed to `amount`
   Impact: All consumers parsing `total_price` will break
   Migration: Add `total_price` as alias for one version cycle

3. `POST /api/orders` — new required field `currency`
   Impact: Existing requests without `currency` will fail validation
   Migration: Default to "USD" if not provided (temporary)

## Non-Breaking Changes (2 found)
- `GET /api/users` — new optional `?role=` filter parameter
- `GET /api/orders/{id}` — new `tracking_url` field in response

## Recommendation
3 breaking changes detected. Bump major version (v2 → v3) or add versioned endpoint prefix.

4. `compatibility-matrix` — Map Consumer Dependencies

Analyze which consumers depend on which API endpoints and fields:

# Search consumer codebases for API calls
rg -r '$1' 'fetch\(["\x27]([^"]+)["\x27]' --type js --type ts 2>/dev/null
rg -r '$1' 'requests\.(get|post|put|delete)\(["\x27]([^"]+)' --type py 2>/dev/null
rg -r '$1' 'axios\.(get|post|put|delete)\(["\x27]([^"]+)' --type js --type ts 2>/dev/null

Produce a matrix:

Endpoint          | consumer-web | consumer-mobile | consumer-worker
GET /api/users    |     ✓        |       ✓         |
POST /api/orders  |     ✓        |       ✓         |       ✓
DELETE /api/users  |              |                 |

Flag endpoints with zero consumers as deprecation candidates.

安全使用建议

This skill's behavior is plausible for API contract testing, but the registry entries omit key runtime requirements. Before installing or running it: (1) require the publisher to declare needed binaries (git, python3, pip, pact-verifier, rg) and env vars (BASE_URL, PROVIDER_URL) so you can audit them; (2) run the skill in an isolated environment or container/CI job to avoid exposing repository secrets and to contain any runtime pip installs; (3) verify any on-demand installs (pip) are from trusted packages and consider pre-installing vetted tooling; (4) ensure the workspace doesn't contain sensitive tokens the skill could read; and (5) ask the publisher for a homepage or source repository so you can review the exact commands and sample outputs. These steps will reduce risk and clarify whether the missing metadata was an oversight or a red flag.

功能分析

Type: OpenClaw Skill Name: api-contract-tester Version: 1.0.0 The api-contract-tester skill is designed for validating API contracts and detecting breaking changes using standard tools like find, grep, ripgrep, and git. It generates legitimate Python test code and uses well-known libraries such as openapi-spec-validator and pact-verifier, with all actions clearly aligned with its stated purpose of API maintenance and testing.

能力评估

⚠ Purpose & Capability

The SKILL.md expects tools and data typical for contract testing (git, python3, pip, pact-verifier, requests/pytest, ripgrep/rg, and environment variables like BASE_URL and PROVIDER_URL), but the registry metadata declares no required binaries or env vars. That discrepancy is incoherent: someone building this skill would reasonably need to declare those runtime dependencies and primary credentials/endpoints.

⚠ Instruction Scope

Runtime instructions tell the agent to search the repository (find, rg), read files (OpenAPI specs, pacts, git history), make network requests against provider endpoints, and optionally pip install validator packages. These actions are within the stated purpose but are broad — they enable reading arbitrary repo files and making outbound requests, which can surface secrets or transmit data if the working directory contains sensitive information. Also several variables (BASE_URL, PROVIDER_URL) are referenced but not declared.

ℹ Install Mechanism

There is no install spec (instruction-only), so nothing will be written by a package installer up-front. However, the instructions include runtime operations that install packages (pip install openapi-spec-validator) and expect external tooling (pact-verifier). Relying on on-demand pip installs is less safe than declaring and vetting an install step and means arbitrary code can be pulled during execution.

⚠ Credentials

The skill declares no required env vars, yet the instructions reference BASE_URL and PROVIDER_URL and implicitly expect potentially sensitive auth info when testing secured endpoints. It also directs searching consumer codebases for call sites, which could expose tokens/credentials embedded in code. The lack of declared env vars and credential guidance is a mismatch and increases risk.

✓ Persistence & Privilege

The skill is not always-enabled and does not request persistent modifications to agent configuration or other skills. It writes temporary files (e.g., /tmp/old-spec.yaml) and may install packages at runtime, but it does not request elevated platform privileges in the metadata.

版本历史

v1.0.0

Initial release of API Contract Tester — Automated contract, compatibility, and breaking change checks for APIs. - Generate and verify consumer-driven contract tests from OpenAPI specs or Pact contracts. - Automatically check API endpoints for backward compatibility and breaking changes. - Validate API implementations against OpenAPI and Pact contracts. - Produce compatibility matrices to map API usage by each consumer. - Includes CLI-ready commands and sample test output for quick adoption.

元数据

Slug api-contract-tester

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题