skillsSource-backedReview first Safety ✓ Privacy ✓
mcp-use OpenAPI to MCP Skill
Agent Skill from mcp-use for turning OpenAPI or Swagger specs into MCP servers with operation-to-tool mapping, auth wiring, Zod schema generation, inspector testing, and streamable HTTP deployment.
HarnessClaude CodeCodexWindsurfGeminiCursorCLI
Level:expertType:capability-packVerified:validated
Review first — review before installing
Open the source and read safety notes before installing.
Safety notes
- Generated MCP tools can expose every selected REST operation from a source API, including destructive or account-changing endpoints if the operation filter is too broad.
- Large OpenAPI specs can create noisy tool surfaces. Filter by tag or operation list when the API has many endpoints.
- Auth wiring may include API keys, bearer tokens, basic auth, OAuth bearer tokens, and environment variables; never put secret values in the spec, generated source, prompts, or PR text.
- The skill recommends streamable HTTP for generated mcp-use servers; review deployment auth, CORS, rate limits, logs, and public reachability before publishing.
- Human review is needed for generated schemas, tool descriptions, error handling, and write operations before giving an agent access to real accounts.
Privacy notes
- OpenAPI specs can expose private endpoint names, internal domains, auth schemes, schemas, object fields, customer concepts, and operational workflows.
- Tool calls can send prompts, arguments, request bodies, auth-scoped API responses, error payloads, and logs through the MCP server, model provider, and deployment platform.
- Keep API keys, tokens, OAuth secrets, cookies, private base URLs, customer data, and internal spec comments out of public examples, repository files, issue comments, and screenshots.
- For third-party or customer APIs, confirm data retention and logging behavior across the MCP client, mcp-use deployment target, model provider, and API provider.
Prerequisites
- An OpenAPI 3.x or Swagger 2.0 spec from a local file, URL, or pasted source.
- Node.js and npm or pnpm for `create-mcp-use-app`, TypeScript, swagger-parser, Zod, and mcp-use tooling.
- An MCP client or coding agent that can install and use Agent Skills from GitHub.
- Known target API base URL, authentication scheme, operation filter, and deployment intent before broad tool generation.
- API credentials kept outside prompts and committed files, using environment variables and `.env.example` documentation.
Schema details
- Install type
- package
- Reading time
- 8 min
- Difficulty score
- 84
- Troubleshooting
- Yes
- Breaking changes
- No
Source repository stats
- Scope
- Source repo
Package metadata
Skill and platform metadata
- Skill type
- capability-pack
- Skill level
- expert
- Verification
- validated
- Verified at
- 2026-06-18
Retrieval sources
https://github.com/mcp-use/mcp-usehttps://raw.githubusercontent.com/mcp-use/mcp-use/main/skills/openapi-to-mcp/SKILL.mdhttps://raw.githubusercontent.com/mcp-use/mcp-use/main/skills/openapi-to-mcp/references/mapping-rules.mdhttps://raw.githubusercontent.com/mcp-use/mcp-use/main/skills/openapi-to-mcp/references/auth.mdhttps://raw.githubusercontent.com/mcp-use/mcp-use/main/skills/openapi-to-mcp/references/testing.mdhttps://www.skills.sh/mcp-use/mcp-use/openapi-to-mcp
Tested platforms
Claude CodeCodexCursorGeneric Agent Skills hosts
| Platform | Support | Install path |
|---|---|---|
| claude-code | Native | .claude/skills/<skill-name>/SKILL.md |
| codex | Native | .agents/skills/<skill-name>/SKILL.md |
| windsurf | Native | .windsurf/skills/<skill-name>/SKILL.md |
| gemini | Native | .gemini/skills/<skill-name>/SKILL.md or .agents/skills/<skill-name>/SKILL.md |
| cursor | Adapter | .cursor/rules/<skill-name>.mdc |
| cli | Manual | AGENTS.md or tool-specific context file |
Tool listing metadata
Full copyable content
npx skills add https://github.com/mcp-use/mcp-use --skill openapi-to-mcp
# Update installed skills
npx skills updateAbout this resource
mcp-use OpenAPI to MCP Skill
openapi-to-mcp is an Agent Skill in mcp-use/mcp-use for converting OpenAPI
or Swagger specs into MCP servers. It tells a coding agent how to scope the API,
dereference the spec, scaffold with create-mcp-use-app, map operations to
tools, generate Zod schemas, wire authentication, test the server, and deploy it
as a streamable HTTP MCP endpoint.
This is a strong fit for Claude Code, Codex, Cursor, and other coding agents when a user says things like "turn this OpenAPI spec into an MCP server," "make this API usable from Claude," or "wrap this Swagger doc as MCP tools."
Knowledge Freshness
The skill is tied to active mcp-use TypeScript SDK patterns and current MCP transport/deployment expectations. OpenAPI tooling, mcp-use scaffold templates, MCP Apps support, streamable HTTP behavior, inspector testing, and deployment paths can change.
Use the skill for its end-to-end workflow, then verify exact commands, template names, package versions, transport guidance, auth conventions, and deployment requirements against the current mcp-use repository and docs.
Retrieval Sources
This listing is grounded in:
- The upstream
skills/openapi-to-mcp/SKILL.mdfile. - The OpenAPI mapping, auth, and testing reference files in the same skill folder.
- The public skills.sh listing for
openapi-to-mcp. - Current GitHub repository metadata for
mcp-use/mcp-use.
Core Workflow
Install the skill from the mcp-use repository:
npx skills add https://github.com/mcp-use/mcp-use --skill openapi-to-mcp
Update installed skills:
npx skills update
Then invoke it before starting an OpenAPI wrapper:
Use the mcp-use OpenAPI to MCP Skill to turn this OpenAPI spec into an MCP server.
The skill starts by locking the spec source, server base URL, auth scheme, operation filter, and widget requirements before code generation. That prevents the common failure mode where an agent exposes hundreds of low-value or unsafe tools from a large API.
Capability Scope
The skill covers a full OpenAPI-to-MCP build path:
| Stage | Scope |
|---|---|
| Scoping | Spec source, base URL, auth, operation filter, and widget decision |
| Spec ingestion | Local file, URL, or pasted OpenAPI/Swagger source |
| Dereferencing | Swagger Parser workflow, $ref handling, and Swagger 2.0 conversion |
| Scaffold | create-mcp-use-app blank or MCP Apps templates |
| Project structure | index.ts, client, auth, operations, schema, scripts, and .env.example |
| Tool mapping | operationId, paths, methods, summaries, descriptions, parameters, request bodies, responses, and security |
| Schema generation | OpenAPI schema to Zod conversion for strings, enums, numbers, arrays, objects, unions, nullable fields, and descriptions |
| Auth | API key, bearer, basic, OAuth bearer, and env-var boundaries |
| Transport | Streamable HTTP through mcp-use server.listen() |
| Testing | mcp-use client, inspector, curl-style checks, and representative tool calls |
| Deployment | Production deployment flow, env var setup, and public endpoint review |
Production Rules
Use this skill with source-of-truth discipline:
- Treat the OpenAPI document as the contract for tool names, descriptions, parameter shapes, request bodies, response shapes, and auth requirements.
- Do not invent operations or broaden the exposed API beyond the selected filter.
- Prefer mechanical fidelity to the spec over hand-written creative summaries.
- Keep auth secrets in environment variables and document only variable names in
.env.example. - Review generated write operations, admin operations, bulk mutations, and payment/account-changing tools before giving an agent access to credentials.
- Run local mcp-use client or inspector tests before deployment.
- Deploy only after checking transport, auth, CORS, rate limits, logging, observability, and public reachability.
Use Cases
- Convert an internal OpenAPI spec into a private MCP server for Claude Code.
- Wrap a third-party REST API as a small set of filtered MCP tools.
- Generate typed tool schemas from a Swagger document instead of hand-writing brittle argument schemas.
- Test an API wrapper with the mcp-use inspector before connecting it to production credentials.
- Build a streamable HTTP MCP endpoint that can later support Claude, ChatGPT, or other remote MCP clients.
Source Review
- The skill describes an end-to-end recipe: scope, ingest spec, map operations, scaffold, generate tools, wire auth, test, and deploy.
- The entrypoint explicitly covers OpenAPI 3.x and Swagger 2.0 specs from a file, URL, or pasted source.
- The skill says each operation becomes one MCP tool and that the OpenAPI document is the source of truth.
- It instructs agents to filter large specs by tag or operation list to avoid polluting the model's tool list.
- The mapping reference covers operation naming, parameter and request-body handling, response-shape gotchas, and schema conversion.
- The auth and testing references cover environment-variable auth wiring and live validation with mcp-use tooling.
Duplicate Review
Checked current content/skills/, content/mcp/, content/agents/,
content/tools/, open pull requests, and repository-wide content for
openapi-to-mcp, OpenAPI to MCP Skill, mcp-use OpenAPI, Swagger to MCP,
generate MCP server from OpenAPI, and wrap REST API as MCP. Existing content
includes general MCP authoring/security skills and some OpenAPI-related MCP
servers, but no dedicated mcp-use OpenAPI-to-MCP Agent Skill entry, exact source
URL duplicate, target file, or open duplicate PR was found.
Disclosure
Editorial listing. No paid placement or affiliate link is used. The skill lives
in the mcp-use/mcp-use repository and should be reviewed against the upstream
license files before redistributing bundled artifacts.
Source citations
Add this badge to your README
Show that mcp-use OpenAPI to MCP Skill is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/skills/mcp-use-openapi-to-mcp-skill)How it compares
mcp-use OpenAPI to MCP Skill side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
| Field | mcp-use OpenAPI to MCP Skill Agent Skill from mcp-use for turning OpenAPI or Swagger specs into MCP servers with operation-to-tool mapping, auth wiring, Zod schema generation, inspector testing, and streamable HTTP deployment. Open dossier | Google Cloud Agent Skills Google Agent Skills catalog for AI agents working with Google Cloud, Gemini Enterprise Agent Platform, Gemini APIs, Skill Registry, Cloud Run, BigQuery, Firebase, GKE, Cloud SQL, AlloyDB, gcloud, auth, onboarding, and Well-Architected Framework guidance. Open dossier | Anthropic Agent Skills Anthropic's public Agent Skills repository for Claude, with example skills, document skills, the Agent Skills specification pointer, a template skill, Claude Code plugin installation, Claude.ai usage guidance, and Claude API skill creation references. Open dossier | Dart Agent Skills Official Dart team Agent Skills for AI coding agents working on Dart unit tests, CLI apps, coverage, runtime errors, mocks, package conflicts, static analysis, Native Assets, FFI, ffigen, and pattern matching. Open dossier |
|---|---|---|---|---|
| Trust | ||||
| Install risk | Review first | Review first | Review first | Review first |
| Notes | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ |
| Category | skills | skills | skills | skills |
| Source | source-backed | source-backed | source-backed | source-backed |
| Author | mcp-use | Anthropic | Dart Team | |
| Added | 2026-06-18 | 2026-06-18 | 2026-06-18 | 2026-06-18 |
| Platforms | Claude CodeCodexWindsurfGeminiCursorCLI | Claude CodeCodexWindsurfGeminiCursorCLI | Claude CodeCodexWindsurfGeminiCursorCLI | Claude CodeCodexWindsurfGeminiCursorCLI |
| Source repo | — | — | — | — |
| Safety notes | ✓Generated MCP tools can expose every selected REST operation from a source API, including destructive or account-changing endpoints if the operation filter is too broad. Large OpenAPI specs can create noisy tool surfaces. Filter by tag or operation list when the API has many endpoints. Auth wiring may include API keys, bearer tokens, basic auth, OAuth bearer tokens, and environment variables; never put secret values in the spec, generated source, prompts, or PR text. The skill recommends streamable HTTP for generated mcp-use servers; review deployment auth, CORS, rate limits, logs, and public reachability before publishing. Human review is needed for generated schemas, tool descriptions, error handling, and write operations before giving an agent access to real accounts. | ✓Google Cloud skills can create, update, delete, deploy, query, or configure cloud resources, datasets, IAM policies, service accounts, APIs, containers, jobs, and networking. The gcloud skill requires command validation and safety guardrails before invoking Google Cloud CLI commands; do not let agents improvise cloud commands from memory. Skill Registry guidance includes skill lifecycle management such as upload, update, and permanent delete operations; validate environment and approval before use. Cloud Run, GKE, BigQuery, Firebase, Cloud SQL, AlloyDB, and Gemini API workflows can create cost, expose endpoints, alter data, or change production behavior. The repository notes active development, so verify exact commands, product names, API availability, and launch-stage limits before production use. | ✓The repository is explicitly presented as demonstration and educational material; behavior available in Claude products can differ from repository examples. Document skills can read, transform, and create files such as PDFs, Word documents, PowerPoint decks, and spreadsheets, so review generated artifacts before sharing or publishing them. The MCP builder skill guides agents through creating MCP servers and evaluations; generated servers still need security review, least-privilege tool design, authentication review, and transport testing. The skill creator workflow can generate instructions, scripts, references, and assets; review all generated resources before installing them into an agent host. | ✓Dart skills can modify source code, tests, pubspec dependencies, analysis options, generated mocks, coverage output, native hooks, FFI bindings, and package constraints. `dart fix --apply`, formatter runs, mock generation, build_runner, ffigen, and Native Assets hooks can create broad mechanical diffs; inspect changes before committing. Native Assets and FFI workflows may compile C/C++ code, run local toolchains, download precompiled binaries, and link dynamic or static libraries. Downloaded binaries should use cryptographic hash validation and offline fallbacks as the skill describes. Package conflict fixes can upgrade or downgrade dependencies and affect transitive package behavior across Dart and Flutter projects. |
| Privacy notes | ✓OpenAPI specs can expose private endpoint names, internal domains, auth schemes, schemas, object fields, customer concepts, and operational workflows. Tool calls can send prompts, arguments, request bodies, auth-scoped API responses, error payloads, and logs through the MCP server, model provider, and deployment platform. Keep API keys, tokens, OAuth secrets, cookies, private base URLs, customer data, and internal spec comments out of public examples, repository files, issue comments, and screenshots. For third-party or customer APIs, confirm data retention and logging behavior across the MCP client, mcp-use deployment target, model provider, and API provider. | ✓Google Cloud workflows may expose project IDs, service account emails, OAuth tokens, API keys, ADC credentials, Terraform state, dataset names, table schemas, query text, logs, traces, prompts, model outputs, embeddings, and customer data. BigQuery, Firebase, Cloud SQL, AlloyDB, GKE, and Agent Platform workflows may process regulated or proprietary data; review data residency, IAM, retention, audit logging, and sharing rules before use. Gemini API and Agent Platform skills can send prompts, files, images, audio, video, tool inputs, structured outputs, cached contexts, and batch datasets to Google services. Keep credentials, project IDs when sensitive, private queries, logs, trace payloads, Terraform state, customer data, and generated datasets out of public prompts, issues, PRs, and screenshots. | ✓Skill usage can expose documents, spreadsheets, slide decks, prompts, company workflows, brand guidelines, MCP designs, API details, and generated artifacts to Claude or the configured model/runtime. Do not upload or commit customer documents, regulated data, private brand assets, secrets, credentials, or unreleased business plans unless the environment and account policy allow that data. When creating custom skills, check bundled scripts, references, and assets for private data before sharing a repository, plugin, or ZIP archive. | ✓Dart projects may contain private package names, API schemas, service URLs, test fixtures, generated mocks, coverage paths, stack traces, native library names, and build logs. Runtime-error workflows can expose stack traces, local paths, active app state, logs, and user-input data from the running program. FFI and Native Assets workflows may include proprietary C/C++ source, platform-specific build settings, binary hashes, and downloaded artifact URLs. Keep credentials, private package registries, source paths when sensitive, proprietary native code, test data, and generated coverage reports out of public prompts, issues, PRs, and examples. |
| Prerequisites |
|
|
|
|
| Install | | | | |
| Config | — | — | — | — |
| Citations | ||||
| Claim | Unclaimed | Unclaimed | Unclaimed | Unclaimed |
Signals
Loading live community signals…
More like this, weekly
A short, calm digest of reviewed Claude resources. Unsubscribe any time.