Skip to main content
skillsSource-backed

Spectral OpenAPI Contract Audit Capability Pack Skill

Expert Spectral review skill for auditing OpenAPI contracts, OAS rulesets, lint results, schema drift, CI gates, and API release readiness.

Level:expertType:capability-packVerified:validated
Review first review before installing

Open the source and read safety notes before installing.

Citation facts

Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.

Source URLs
https://github.com/stoplightio/spectral/blob/v6.15.0/README.md, https://github.com/stoplightio/spectral
Safety notes
Installing Spectral adds npm packages to the selected project environment; pin the reviewed version and avoid global installs for review work., Spectral can lint local files, globs, and remote contract URLs; review source locations before running checks in shared CI., Ruleset changes can silently weaken future API gates; review disabled rules, severity changes, and overrides as release-impacting changes., JavaScript rulesets and custom functions such as `.spectral.js` execute Node.js code; do not run attacker-supplied rulesets from untrusted PRs unless they have been inspected and executed in a sandboxed environment., The source ZIP is external and version-pinned for reference; package trust should remain a maintainer decision.
Privacy notes
OpenAPI files can reveal internal route names, hostnames, example payloads, business object names, and planned endpoints., Lint reports can include source paths, schema paths, rule names, snippets, and examples from the reviewed contract., Keep public review notes focused on rule IDs, contract paths, compatibility impact, and summarized examples; omit details that do not need to be public.
Platform compatibility
claude-code (native-skill), codex (native-skill), windsurf (native-skill), gemini (native-skill), cursor (adapter), cli (manual-context)
Author
oktofeesh1
Submitted by
oktofeesh1
Claim status
unclaimed
Last verified
2026-06-03

Decision playbook

Review trust signals before you adopt

Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.

Compare context
Selected

0

Current score

86

Baseline

Delta

No baseline selected

No major trust-signal divergence detected in the current selection.

Source and provenance checks

Complete

Confirm ownership and provenance before trusting install instructions.

  • Source link availableRequired

    Open the canonical repository and verify ownership.

    Done
  • Source provenance statusRequired

    Marked as source-backed.

    Done
  • Metadata reviewed

    Registry metadata indicates a reviewed listing.

    Done

Safety and privacy checks

Complete

Validate risk disclosures before installation or API wiring.

  • Safety notes presentRequired

    Review the listed safety guidance before running commands.

    Done
  • Privacy notes presentRequired

    Review data handling notes before connecting accounts or secrets.

    Done
  • Trust level risk gateRequired

    Trust level does not block evaluation.

    Done

Package and install checks

Needs review

Check package metadata and artifact integrity signals.

  • Install payload available

    Install or copy payload is available for review.

    Done
  • Package verification flag

    No package verification flag provided.

    Pending
  • Checksum metadata

    No checksum provided for downloaded artifact.

    Pending

Compare-driven decision checks

Needs review

Use compare context to validate trade-offs before adoption.

  • Compare tray has multiple entries

    Add at least one more entry to compare trust differences.

    Pending
  • Baseline comparison available

    No baseline peer selected yet.

    Pending
  • Diverging trust signals identified

    No major trust-signal divergence found.

    Pending

Setup at a glance

Package install

Copy-ready — paste the snippet to get started.

Adoption plan

Balanced adoption plan

Current risk score 16/100. Use staged verification before broader rollout.

Risk 16

Pre-adoption checks

Validate source and review signals before any execution.

  • Confirm source provenanceRequired

    Source URL/provenance metadata is present.

    Done
  • Confirm metadata review state

    Listing has review metadata.

    Done
  • Verify install payload

    Install/config payload exists and can be inspected.

    Done

Security checks

Confirm safety, privacy, and package integrity signals.

  • Review safety notesRequired

    Safety notes are present.

    Done
  • Review privacy notesRequired

    Privacy notes are present.

    Done
  • Verify package integrity metadata

    No package verification/checksum metadata.

    Pending

Rollout

Adopt in controlled steps based on the selected plan.

  • Run in isolated sandbox firstRequired

    Use a constrained sandbox and observe behavior across multiple tasks.

    Pending
  • Roll out graduallyRequired

    Roll out to a small cohort before wider usage.

    Pending
  • Set monitoring and fallback

    Define rollback path and monitor errors after adoption.

    Pending

Evidence readiness

Evidence readiness matrix · balanced

Required evidence gates are covered (5/6 signals complete).

Risk 15

Source provenance

Present

Source repository/provenance is listed.

Required in this preset

Metadata review

Present

Review metadata is present.

Required in this preset

Safety notes

Present

Safety notes are present.

Required in this preset

Privacy notes

Present

Privacy notes are present.

Optional in this preset

Package integrity

Missing

Package integrity metadata is missing.

Optional in this preset

Install payload

Present

Install payload is available.

Required in this preset

Required evidence gates are covered for this preset.

Decision timeline

Decision timeline · balanced

5/6 steps complete with no blocking gaps for this preset.

Risk 14

triage

Confirm source provenanceRequired

Source/provenance metadata is available.

Done

triage

Check metadata review statusRequired

Review metadata is available.

Done

verify

Review safety notesRequired

Safety notes are available.

Done

verify

Review privacy notes

Privacy notes are available.

Done

verify

Validate package integrity metadata

Package integrity metadata is missing.

Pending

rollout

Verify install payload and commandsRequired

Install payload is available.

Done

No required blockers for this timeline preset.

Prerequisite readiness

Prerequisite readiness

5 prerequisites to line up before setup. Includes a review or approval gate.

0/5 ready
Configuration1Review & approval1General3

Safety & privacy surface

Safety & privacy surface

5 safety and 3 privacy notes across 4 risk areas. Review closely: network access.

4 areas
  • SafetyExecution & processesInstalling Spectral adds npm packages to the selected project environment; pin the reviewed version and avoid global installs for review work.
  • SafetyNetwork accessSpectral can lint local files, globs, and remote contract URLs; review source locations before running checks in shared CI.
  • SafetyGeneralRuleset changes can silently weaken future API gates; review disabled rules, severity changes, and overrides as release-impacting changes.
  • SafetyExecution & processesJavaScript rulesets and custom functions such as `.spectral.js` execute Node.js code; do not run attacker-supplied rulesets from untrusted PRs unless they have been inspected and executed in a sandboxed environment.
  • SafetyGeneralThe source ZIP is external and version-pinned for reference; package trust should remain a maintainer decision.
  • PrivacyNetwork accessOpenAPI files can reveal internal route names, hostnames, example payloads, business object names, and planned endpoints.
  • PrivacyLocal filesLint reports can include source paths, schema paths, rule names, snippets, and examples from the reviewed contract.
  • PrivacyLocal filesKeep public review notes focused on rule IDs, contract paths, compatibility impact, and summarized examples; omit details that do not need to be public.

Safety notes

  • Installing Spectral adds npm packages to the selected project environment; pin the reviewed version and avoid global installs for review work.
  • Spectral can lint local files, globs, and remote contract URLs; review source locations before running checks in shared CI.
  • Ruleset changes can silently weaken future API gates; review disabled rules, severity changes, and overrides as release-impacting changes.
  • JavaScript rulesets and custom functions such as `.spectral.js` execute Node.js code; do not run attacker-supplied rulesets from untrusted PRs unless they have been inspected and executed in a sandboxed environment.
  • The source ZIP is external and version-pinned for reference; package trust should remain a maintainer decision.

Privacy notes

  • OpenAPI files can reveal internal route names, hostnames, example payloads, business object names, and planned endpoints.
  • Lint reports can include source paths, schema paths, rule names, snippets, and examples from the reviewed contract.
  • Keep public review notes focused on rule IDs, contract paths, compatibility impact, and summarized examples; omit details that do not need to be public.

Prerequisites

  • OpenAPI v2, v3.0, or v3.1 contract file set
  • Spectral ruleset such as `.spectral.yaml` or an explicit ruleset path
  • Lint output, CI output, or proposed contract diff
  • API owner expectations for breaking changes, naming, examples, and release gates
  • Consumer impact notes, changelog, or compatibility policy for the reviewed API

Schema details

Install type
package
Reading time
9 min
Troubleshooting
Yes
Source repository stats
Scope
Source repo
Skill and platform metadata
Skill type
capability-pack
Skill level
expert
Verification
validated
Verified at
2026-06-03
Retrieval sources
https://github.com/stoplightio/spectral/blob/v6.15.0/README.mdhttps://github.com/stoplightio/spectral/releases/tag/v6.15.0https://registry.npmjs.org/@stoplight/spectral-cli/6.15.0https://raw.githubusercontent.com/stoplightio/spectral/v6.15.0/packages/cli/package.jsonhttps://raw.githubusercontent.com/stoplightio/spectral/v6.15.0/docs/getting-started/4-openapi.mdhttps://raw.githubusercontent.com/stoplightio/spectral/v6.15.0/docs/guides/2-cli.mdhttps://raw.githubusercontent.com/stoplightio/spectral/v6.15.0/docs/guides/4-custom-rulesets.mdhttps://raw.githubusercontent.com/stoplightio/spectral/v6.15.0/docs/guides/8-continuous-integration.mdhttps://raw.githubusercontent.com/stoplightio/spectral/v6.15.0/docs/reference/openapi-rules.md
Tested platforms
ClaudeCodexWindsurfGeminiCursorGeneric AGENTS
PlatformSupportInstall path
claude-codeNative.claude/skills/<skill-name>/SKILL.md
codexNative.agents/skills/<skill-name>/SKILL.md
windsurfNative.windsurf/skills/<skill-name>/SKILL.md
geminiNative.gemini/skills/<skill-name>/SKILL.md or .agents/skills/<skill-name>/SKILL.md
cursorAdapter.cursor/rules/<skill-name>.mdc
cliManualAGENTS.md or tool-specific context file
Full copyable content
# Trigger
"Apply the Spectral OpenAPI contract audit capability pack to this API contract change."

# Required output
1) Spectral package/source version and ruleset inventory
2) OpenAPI version, file set, references, and lint-result review
3) Contract findings with release-blocking and non-blocking issues
4) Validation plan and merge, hold, or request-changes recommendation

About this resource

Knowledge Freshness

This capability pack is pinned to Stoplight Spectral 6.15.0, source tag v6.15.0, npm metadata, and source documentation verified on 2026-06-03. The reviewed CLI package requires Node ^16.20, ^18.18, or >=20.17.

Retrieval Sources

Prefer the pinned Spectral source, npm metadata, and source documentation over model memory for CLI flags, built-in ruleset names, OpenAPI support, ruleset structure, and CI behavior.

Scope Note

This is not an API design rule pack, documentation generator, MCP server listing, or slash command. Use it for human-in-the-loop review of OpenAPI contract changes with Spectral evidence: rulesets, lint output, schema drift, reference behavior, compatibility risk, and release gate decisions.

Core Workflow

  1. Confirm the Spectral package version, source tag, npm metadata, Node runtime requirement, ruleset location, and OpenAPI contract file set.
  2. Identify the OpenAPI version, document boundaries, referenced files, generated files, source-of-truth owner, and contract consumers.
  3. Inventory Spectral configuration: .spectral.yaml, explicit --ruleset usage, extended rulesets, formats, overrides, parser options, and custom rule documentation.
  4. Before running Spectral against an untrusted change, inspect any JavaScript rulesets or custom functions and use an isolated sandbox if execution is required.
  5. Run or review lint output with the expected formatter and fail severity. Preserve rule IDs, JSON paths, line ranges, source file names, and severity values.
  6. Classify findings as syntax/parser failures, built-in OAS rule failures, custom rule failures, style drift, compatibility risk, generated-output noise, or false positives.
  7. Review contract diffs for endpoint addition, endpoint removal, method changes, request and response shape changes, enum changes, required-field changes, examples, tags, operation IDs, and reference moves.
  8. Review ruleset changes separately from contract changes. Treat disabled rules, lower severities, broad overrides, or format changes as release-impacting until explained.
  9. Build a validation plan: Spectral lint, generated client/type check when applicable, documentation render check when applicable, and consumer compatibility review for breaking changes.
  10. Produce a release recommendation with blockers, non-blocking fixes, accepted exceptions, owner follow-up, and a merge, hold, or request-changes decision.

Capability Scope

  • Spectral package/source verification
  • OpenAPI v2, v3.0, and v3.1 contract review
  • .spectral.yaml and custom ruleset audit
  • Built-in spectral:oas rule-result triage
  • Reference and multi-file contract review
  • CI fail-severity and formatter review
  • Compatibility and schema-drift classification
  • Evidence-based API release recommendation

Compatibility

Native

  • Claude Code / Claude: use as a reusable Agent Skill for OpenAPI PR review and API release readiness.
  • Codex/OpenAI workflows: use as SKILL.md-style instructions for contract-audit work.

Manual Adaptation

  • Windsurf and Gemini: adapt the workflow and output contract into their skill formats.
  • Cursor and Generic AGENTS files: convert the production rules and validation checklist into repository-level OpenAPI review guidance.

Required Inputs

  • Spectral package version and ruleset path
  • OpenAPI contract file path, generated source, or review diff
  • Lint output, CI output, or command needed to reproduce results
  • Expected OpenAPI version and consumer compatibility policy
  • Owner policy for breaking changes, deprecations, examples, and release notes

Production Rules

  • Do not approve a contract change until the OpenAPI version and source-of-truth file set are clear.
  • Do not mix ruleset weakening with contract changes unless the reason and release impact are explicit.
  • Treat endpoint removals, required-field additions, enum narrowing, status-code changes, and response shape changes as compatibility risks until reviewed by an owner.
  • Treat parser errors, unresolved references, missing operation IDs, and ambiguous schemas as release-blocking unless the owner accepts a documented exception.
  • Do not rely only on generated docs rendering; lint the source contract and inspect the relevant schema path.
  • Keep style-only lint findings separate from consumer-breaking findings.
  • Prefer targeted ruleset exceptions with documentation over broad overrides.

Output Contract

  1. Source evidence: Spectral version, source tag, npm metadata, docs, ruleset, and contract files reviewed.
  2. Contract inventory: OpenAPI version, file set, generated or authored status, references, and consumer impact area.
  3. Ruleset review: extends, formats, overrides, parser options, custom rules, fail severity, and formatter outputs.
  4. Findings: parser errors, OAS rule failures, custom rule failures, compatibility risks, and accepted exceptions.
  5. Validation plan: exact lint command, JavaScript ruleset/custom-function inspection or sandboxing status, CI gate, generated client/type check when relevant, and owner review.
  6. Recommendation: merge, hold, request changes, or split ruleset changes from contract changes.

Troubleshooting

Issue: Spectral reports no ruleset found

Fix: Confirm .spectral.yaml, .spectral.yml, .spectral.json, or .spectral.js exists near the contract, or pass the intended file with --ruleset; inspect or sandbox .spectral.js and other JavaScript rulesets before running them from untrusted changes.

Issue: A contract diff looks harmless but generated clients break

Fix: Check required fields, enum values, oneOf/anyOf shape, nullable behavior, status codes, and renamed operation IDs before approving.

Issue: Custom rules create noisy findings

Fix: Separate style preference from compatibility risk, then recommend targeted severity changes or documented exceptions instead of disabling the rule broadly.

Issue: Remote references behave differently in CI

Fix: Compare local and CI resolver behavior, reference URLs, checkout depth, generated artifacts, and pinned dependency versions before accepting the result.

Issue: Lint results are hard to map back to the diff

Fix: Ask for JSON or SARIF output, preserve rule IDs and JSON paths, then map each finding to the changed contract path and owner.

Validation Checklist

  • Spectral package version, source tag, npm metadata, and docs verified.
  • OpenAPI version and source-of-truth file set identified.
  • Ruleset location, extends, formats, overrides, and parser options reviewed.
  • Lint command, formatter, and fail severity recorded.
  • Parser errors and unresolved references checked.
  • Built-in OAS findings triaged.
  • Custom rule findings triaged.
  • Contract diff reviewed for compatibility risk.
  • Ruleset changes reviewed separately from contract changes.
  • Merge, hold, request-changes, or split recommendation documented.

Source citations

Add this badge to your README

Show that Spectral OpenAPI Contract Audit Capability Pack Skill is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

Listed on HeyClaude
[![Listed on HeyClaude](https://heyclau.de/badge/skills/spectral-openapi-contract-audit-capability-pack.svg)](https://heyclau.de/entry/skills/spectral-openapi-contract-audit-capability-pack)

How it compares

Spectral OpenAPI Contract Audit Capability Pack Skill side by side with 2 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

Field

Expert Spectral review skill for auditing OpenAPI contracts, OAS rulesets, lint results, schema drift, CI gates, and API release readiness.

Open dossier

Expert Vitest coverage planning skill for choosing providers, scoping reports, setting thresholds, triaging gaps, and designing practical coverage gates.

Open dossier

Expert reg-suit review skill for evaluating rendered UI image baselines, thresholds, snapshot storage, report artifacts, and visual QA release readiness.

Open dossier
Next steps
Trust
Review statusReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewed
Package trustPackage not verifiedPackage not verifiedPackage not verified
Source provenanceSubmission linkedSource submissionSubmission linkedSource submissionSubmission linkedSource submission
Submitteroktofeesh1oktofeesh1oktofeesh1
Install riskReview firstReview firstReview first
Notes Safety ✓ Privacy ✓ Safety ✓ Privacy ✓ Safety ✓ Privacy ✓
Brand
Categoryskillsskillsskills
SourceSource-backedSource-backedSource-backed
Authoroktofeesh1oktofeesh1oktofeesh1
Added2026-06-032026-06-032026-06-03
Platforms
Harness
Source repo
Safety notesInstalling Spectral adds npm packages to the selected project environment; pin the reviewed version and avoid global installs for review work. Spectral can lint local files, globs, and remote contract URLs; review source locations before running checks in shared CI. Ruleset changes can silently weaken future API gates; review disabled rules, severity changes, and overrides as release-impacting changes. JavaScript rulesets and custom functions such as `.spectral.js` execute Node.js code; do not run attacker-supplied rulesets from untrusted PRs unless they have been inspected and executed in a sandboxed environment. The source ZIP is external and version-pinned for reference; package trust should remain a maintainer decision.Installing Vitest and coverage providers adds npm packages to the selected project environment; pin reviewed versions and use project-local installs. Coverage runs execute the project test suite and can use test fixtures, network mocks, databases, or generated artifacts configured by the project. Vitest coverage can clean the configured reports directory before a run; confirm the reports directory is disposable before enabling coverage in shared workflows. Threshold changes can block or unblock CI; review threshold updates separately from test additions. The source ZIP is external and version-pinned for reference; package trust should remain a maintainer decision.Installing reg-suit adds npm packages to the selected project environment; pin the reviewed package version and avoid global installs for review work. reg-suit can publish image snapshots and HTML reports through storage plugins such as S3 or Google Cloud Storage; review destination configuration before running in shared CI. Visual baselines can normalize accidental UI changes if accepted too casually; require owner approval for broad layout, color, text, or viewport changes. The source ZIP is external and version-pinned for reference; package trust should remain a maintainer decision.
Privacy notesOpenAPI files can reveal internal route names, hostnames, example payloads, business object names, and planned endpoints. Lint reports can include source paths, schema paths, rule names, snippets, and examples from the reviewed contract. Keep public review notes focused on rule IDs, contract paths, compatibility impact, and summarized examples; omit details that do not need to be public.Coverage output can reveal source paths, module names, uncovered function names, branch structure, report file names, and project layout. HTML, JSON, LCOV, and JUnit artifacts can include snippets, line ranges, and package structure from the reviewed project. Keep public review notes focused on aggregate gaps, file groups, risk areas, and validation commands; omit sensitive implementation details that do not need to be public.Rendered UI images and reports can expose environment URLs, branch names, visible UI text, test account data, and product screenshots. Storage and notification plugins can publish report links to CI systems, pull request comments, chat tools, or cloud buckets. Keep public review notes focused on changed components, thresholds, artifact links, and summarized findings; omit sensitive rendered content that does not need to be public.
Prerequisites
  • OpenAPI v2, v3.0, or v3.1 contract file set
  • Spectral ruleset such as `.spectral.yaml` or an explicit ruleset path
  • Lint output, CI output, or proposed contract diff
  • API owner expectations for breaking changes, naming, examples, and release gates
  • JavaScript or TypeScript project using Vitest or evaluating a Vitest coverage gate
  • Test command, package manager, and `vitest.config` or Vite config
  • Current coverage report, changed-file context, or uncovered source inventory
  • Project risk areas, owner expectations, and release policy for test gaps
  • UI change, pull request, or release candidate with rendered image artifacts
  • reg-suit configuration such as `regconfig.json`
  • Baseline image source, actual image directory, and generated report location
  • Threshold policy for accepted pixel or rate differences
Install
npm install --save-dev @stoplight/spectral-cli@6.15.0
npm install --save-dev vitest@4.1.8 @vitest/coverage-v8@4.1.8
npm install --save-dev reg-suit@0.14.5
Config
Citations
ClaimUnclaimedUnclaimedUnclaimed
Open 3 picks in the interactive comparison tool

Signals

Loading live community signals…

More like this, weekly

A short, calm digest of reviewed Claude resources. Unsubscribe any time.