Skip to content

[high] uipath-coded-apps: skill guides the agent to bypass uip with direct curl calls against ~/.uipath/.auth #334

Open
#401
Open
[high] uipath-coded-apps: skill guides the agent to bypass uip with direct curl calls against ~/.uipath/.auth#334
#401
Labels
area:authLogin, token handling, ~/.uipath, identity_ endpointsarea:skill-bypasses-cliSkill instructs agent to skip uip (direct curl, home-dir tokens, npx, hand-authored JSON)area:skill-contentGap lives in skill bodybugSomething isn't workingcategory:uxUsability issuefound-by:claude-scenario-harnessAttribution to the scenario-testing pipelineseverity:highBlocks user workflowssource:scenario-testingFiled via /scenario gh-issues from a gap fileuipath-coded-appsApps skill
@mercer

Description

@mercer
mercer
opened on Apr 22, 2026

Summary

Bug report — high.

Severity reason: blocks scenario; no workaround inside uip

Customer-out-of-box impact: (see parent gap)

Description

blocked (invalidates the CLI under test — runs aren't testing uip at all). Severity high — blocks scenario; no workaround inside uip.

Steps to Reproduce

Reproduction: Run any uipath-coded-apps skills-mode scenario that involves OAuth setup. Agent will Read the skill's oauth-client-setup.md, source ~/.uipath/.auth, and use curl against /oauth2/applications/register-public and /orchestrator_/api/Apps/DeployCodedApp.

Expected Behavior

(see Reproduction block — CLI to return actionable error with remediation)

Actual Behavior

(see Verbatim evidence above)

Verbatim agent evidence (Claude Haiku 4.5, 2026-04-21)

The agent Read the skill's own references, then followed their guidance to source the user's credential file and make 10+ direct HTTP calls to the UiPath backend — never using uip for those steps:

source ~/.uipath/.auth && curl -s -X GET "https://alpha.uipath.com/emilianeurope01/DefaultTenant/orchestrator_/odata/ExternalApplications" \
  -H "Authorization: Bearer $UIPATH_ACCESS_TOKEN" \
  -H "Content-Type: application/json" | python3 -m json.tool | head -50
source ~/.uipath/.auth 2>/dev/null && curl -s -X POST "https://alpha.api.uipath.com/oauth2/applications/register-public" \
  -H "Authorization: Bearer ${UIPATH_ACCESS_TOKEN}" \
  -H "Content-Type: application/json"
source ~/.uipath/.auth 2>/dev/null && curl -s -X POST "https://alpha.uipath.com/emilianeurope01/DefaultTenant/orchestrator_/api/Apps/DeployCodedApp" \
  -H "Authorization: Bearer ${UIPATH_ACCESS_TOKEN}"

Each call was produced after a Read on .claude/skills/uipath-coded-apps/references/*.md. The skill itself tells agents to use Playwright + oauth-client-setup.md + direct OAuth endpoint calls rather than uip subcommands.

  • Reproduction: Run any uipath-coded-apps skills-mode scenario that involves OAuth setup. Agent will Read the skill's oauth-client-setup.md, source ~/.uipath/.auth, and use curl against /oauth2/applications/register-public and /orchestrator_/api/Apps/DeployCodedApp.

Environment

  • CLI: 0.3.4 @ de816019
  • OS / runtime: see uip login status --output json output; reproduced across macOS + Linux agent runs
  • Installed via: scripts/dev-install.sh from UiPath/cli@main

Architecture principle violated

(not explicitly noted; see gap body)

Cross-references

Metadata

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:authLogin, token handling, ~/.uipath, identity_ endpointsarea:skill-bypasses-cliSkill instructs agent to skip uip (direct curl, home-dir tokens, npx, hand-authored JSON)area:skill-contentGap lives in skill bodybugSomething isn't workingcategory:uxUsability issuefound-by:claude-scenario-harnessAttribution to the scenario-testing pipelineseverity:highBlocks user workflowssource:scenario-testingFiled via /scenario gh-issues from a gap fileuipath-coded-appsApps skill

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions