Agent skill

api-security-testing

API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.

View SKILL.md on GitHub Repository
Stars 232
Forks 15

Install this agent skill to your Project

npx add-skill https://github.com/aiskillstore/marketplace/tree/main/skills/sickn33/api-security-testing

SKILL.md

API Security Testing Workflow

Overview

Specialized workflow for testing REST and GraphQL API security including authentication, authorization, rate limiting, input validation, and API-specific vulnerabilities.

When to Use This Workflow

Use this workflow when:

  • Testing REST API security
  • Assessing GraphQL endpoints
  • Validating API authentication
  • Testing API rate limiting
  • Bug bounty API testing

Workflow Phases

Phase 1: API Discovery

Skills to Invoke

  • api-fuzzing-bug-bounty - API fuzzing
  • scanning-tools - API scanning

Actions

  1. Enumerate endpoints
  2. Document API methods
  3. Identify parameters
  4. Map data flows
  5. Review documentation

Copy-Paste Prompts

Use @api-fuzzing-bug-bounty to discover API endpoints

Phase 2: Authentication Testing

Skills to Invoke

  • broken-authentication - Auth testing
  • api-security-best-practices - API auth

Actions

  1. Test API key validation
  2. Test JWT tokens
  3. Test OAuth2 flows
  4. Test token expiration
  5. Test refresh tokens

Copy-Paste Prompts

Use @broken-authentication to test API authentication

Phase 3: Authorization Testing

Skills to Invoke

  • idor-testing - IDOR testing

Actions

  1. Test object-level authorization
  2. Test function-level authorization
  3. Test role-based access
  4. Test privilege escalation
  5. Test multi-tenant isolation

Copy-Paste Prompts

Use @idor-testing to test API authorization

Phase 4: Input Validation

Skills to Invoke

  • api-fuzzing-bug-bounty - API fuzzing
  • sql-injection-testing - Injection testing

Actions

  1. Test parameter validation
  2. Test SQL injection
  3. Test NoSQL injection
  4. Test command injection
  5. Test XXE injection

Copy-Paste Prompts

Use @api-fuzzing-bug-bounty to fuzz API parameters

Phase 5: Rate Limiting

Skills to Invoke

  • api-security-best-practices - Rate limiting

Actions

  1. Test rate limit headers
  2. Test brute force protection
  3. Test resource exhaustion
  4. Test bypass techniques
  5. Document limitations

Copy-Paste Prompts

Use @api-security-best-practices to test rate limiting

Phase 6: GraphQL Testing

Skills to Invoke

  • api-fuzzing-bug-bounty - GraphQL fuzzing

Actions

  1. Test introspection
  2. Test query depth
  3. Test query complexity
  4. Test batch queries
  5. Test field suggestions

Copy-Paste Prompts

Use @api-fuzzing-bug-bounty to test GraphQL security

Phase 7: Error Handling

Skills to Invoke

  • api-security-best-practices - Error handling

Actions

  1. Test error messages
  2. Check information disclosure
  3. Test stack traces
  4. Verify logging
  5. Document findings

Copy-Paste Prompts

Use @api-security-best-practices to audit API error handling

API Security Checklist

  • Authentication working
  • Authorization enforced
  • Input validated
  • Rate limiting active
  • Errors sanitized
  • Logging enabled
  • CORS configured
  • HTTPS enforced

Quality Gates

  • All endpoints tested
  • Vulnerabilities documented
  • Remediation provided
  • Report generated

Related Workflow Bundles

  • security-audit - Security auditing
  • web-security-testing - Web security
  • api-development - API development

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

aiskillstore/marketplace

perigon-backend

Perigon ASP.NET Core + EF Core + Aspire conventions

232 15
Explore
aiskillstore/marketplace

perigon-agent

Pointers for Copilot/agents to apply Perigon conventions

232 15
Explore
aiskillstore/marketplace

perigon-angular

Angular 21+ standalone/Material/signal conventions for Perigon WebApp

232 15
Explore
aiskillstore/marketplace

fastapi-mastery

Comprehensive FastAPI development skill covering REST API creation, routing, request/response handling, validation, authentication, database integration, middleware, and deployment. Use when working with FastAPI projects, building APIs, implementing CRUD operations, setting up authentication/authorization, integrating databases (SQL/NoSQL), adding middleware, handling WebSockets, or deploying FastAPI applications. Triggered by requests involving .py files with FastAPI code, API endpoint creation, Pydantic models, or FastAPI-specific features.

232 15
Explore
aiskillstore/marketplace

context7-efficient

Token-efficient library documentation fetcher using Context7 MCP with 86.8% token savings through intelligent shell pipeline filtering. Fetches code examples, API references, and best practices for JavaScript, Python, Go, Rust, and other libraries. Use when users ask about library documentation, need code examples, want API usage patterns, are learning a new framework, need syntax reference, or troubleshooting with library-specific information. Triggers include questions like "Show me React hooks", "How do I use Prisma", "What's the Next.js routing syntax", or any request for library/framework documentation.

232 15
Explore
aiskillstore/marketplace

browser-use

Browser automation using Playwright MCP. Navigate websites, fill forms, click elements, take screenshots, and extract data. Use when tasks require web browsing, form submission, web scraping, UI testing, or any browser interaction.

232 15
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results