FrancoStino/api-security-testing
bundled-skills/api-security-testing/SKILL.md
API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.
$ install --global
skillsauthnpx skillsauth add FrancoStino/opencode-skills-antigravity api-security-testingInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 15, 2026, 6:22 AM6.7s1 file scanned
SKILL.md
- name:
- api-security-testing
- description:
- API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.
- category:
- granular-workflow-bundle
- risk:
- safe
- source:
- personal
- date_added:
- 2026-02-27
API Security Testing Workflow
Overview
Specialized workflow for testing REST and GraphQL API security including authentication, authorization, rate limiting, input validation, and API-specific vulnerabilities.
When to Use This Workflow
Use this workflow when:
- Testing REST API security
- Assessing GraphQL endpoints
- Validating API authentication
- Testing API rate limiting
- Bug bounty API testing
Workflow Phases
Phase 1: API Discovery
Skills to Invoke
api-fuzzing-bug-bounty- API fuzzingscanning-tools- API scanning
Actions
- Enumerate endpoints
- Document API methods
- Identify parameters
- Map data flows
- Review documentation
Copy-Paste Prompts
Use @api-fuzzing-bug-bounty to discover API endpoints
Phase 2: Authentication Testing
Skills to Invoke
broken-authentication- Auth testingapi-security-best-practices- API auth
Actions
- Test API key validation
- Test JWT tokens
- Test OAuth2 flows
- Test token expiration
- Test refresh tokens
Copy-Paste Prompts
Use @broken-authentication to test API authentication
Phase 3: Authorization Testing
Skills to Invoke
idor-testing- IDOR testing
Actions
- Test object-level authorization
- Test function-level authorization
- Test role-based access
- Test privilege escalation
- Test multi-tenant isolation
Copy-Paste Prompts
Use @idor-testing to test API authorization
Phase 4: Input Validation
Skills to Invoke
api-fuzzing-bug-bounty- API fuzzingsql-injection-testing- Injection testing
Actions
- Test parameter validation
- Test SQL injection
- Test NoSQL injection
- Test command injection
- Test XXE injection
Copy-Paste Prompts
Use @api-fuzzing-bug-bounty to fuzz API parameters
Phase 5: Rate Limiting
Skills to Invoke
api-security-best-practices- Rate limiting
Actions
- Test rate limit headers
- Test brute force protection
- Test resource exhaustion
- Test bypass techniques
- Document limitations
Copy-Paste Prompts
Use @api-security-best-practices to test rate limiting
Phase 6: GraphQL Testing
Skills to Invoke
api-fuzzing-bug-bounty- GraphQL fuzzing
Actions
- Test introspection
- Test query depth
- Test query complexity
- Test batch queries
- Test field suggestions
Copy-Paste Prompts
Use @api-fuzzing-bug-bounty to test GraphQL security
Phase 7: Error Handling
Skills to Invoke
api-security-best-practices- Error handling
Actions
- Test error messages
- Check information disclosure
- Test stack traces
- Verify logging
- Document findings
Copy-Paste Prompts
Use @api-security-best-practices to audit API error handling
API Security Checklist
- [ ] Authentication working
- [ ] Authorization enforced
- [ ] Input validated
- [ ] Rate limiting active
- [ ] Errors sanitized
- [ ] Logging enabled
- [ ] CORS configured
- [ ] HTTPS enforced
Quality Gates
- [ ] All endpoints tested
- [ ] Vulnerabilities documented
- [ ] Remediation provided
- [ ] Report generated
Related Workflow Bundles
security-audit- Security auditingweb-security-testing- Web securityapi-development- API development
Limitations
- Use this skill only when the task clearly matches the scope described above.
- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.
- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.
Related Skills
FrancoStino/youtube-full
development
VerifiedTrustedCommunity
Fetch YouTube transcripts, search videos, browse channels, and extract playlists via TranscriptAPI — no yt-dlp, no Google API key, works from any cloud server.
31SKILL.mdUpdated Jun 5, 2026
FrancoStino/yield-intelligence
development
VerifiedTrustedCommunity
Passive income portfolio analysis — activate when user asks about dividend yields, Treasury rates, REIT income, monthly passive income goals, or portfolio yield optimization. Scans 4 asset classes, ranks by risk-adjusted return, and builds allocations targeting a specific monthly income.
31SKILL.mdUpdated Jun 5, 2026
FrancoStino/vibecode-production-qa-validator
devops
VerifiedTrustedCommunity
End-to-end production QA, build verification, and launch-readiness checklist for fullstack Next.js apps. Covers TypeScript, linting, tests, build, SEO tags, route regression, and sitemap validation.
31SKILL.mdUpdated Jun 5, 2026
FrancoStino/vibe-code-cleanup
development
VerifiedTrustedCommunity
Safe production cleanup and hardening for vibe-coded fullstack apps (Next.js, React, Node.js, etc.). Removes dead imports, unused files, and broken references without breaking routes or APIs.
31SKILL.mdUpdated Jun 5, 2026