zaid-gd/api-security-testing
.agents/skills/Codex-Skills/api-security-testing/SKILL.md
API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.
$ install --global
skillsauthnpx skillsauth add zaid-gd/Roadmap-maker api-security-testingInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 3, 2026, 9:06 AM25.8s1 file scanned
SKILL.md
- name:
- api-security-testing
- description:
- API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.
- category:
- granular-workflow-bundle
- risk:
- safe
- source:
- personal
- date_added:
- 2026-02-27
API Security Testing Workflow
Overview
Specialized workflow for testing REST and GraphQL API security including authentication, authorization, rate limiting, input validation, and API-specific vulnerabilities.
When to Use This Workflow
Use this workflow when:
- Testing REST API security
- Assessing GraphQL endpoints
- Validating API authentication
- Testing API rate limiting
- Bug bounty API testing
Workflow Phases
Phase 1: API Discovery
Skills to Invoke
api-fuzzing-bug-bounty- API fuzzingscanning-tools- API scanning
Actions
- Enumerate endpoints
- Document API methods
- Identify parameters
- Map data flows
- Review documentation
Copy-Paste Prompts
Use @api-fuzzing-bug-bounty to discover API endpoints
Phase 2: Authentication Testing
Skills to Invoke
broken-authentication- Auth testingapi-security-best-practices- API auth
Actions
- Test API key validation
- Test JWT tokens
- Test OAuth2 flows
- Test token expiration
- Test refresh tokens
Copy-Paste Prompts
Use @broken-authentication to test API authentication
Phase 3: Authorization Testing
Skills to Invoke
idor-testing- IDOR testing
Actions
- Test object-level authorization
- Test function-level authorization
- Test role-based access
- Test privilege escalation
- Test multi-tenant isolation
Copy-Paste Prompts
Use @idor-testing to test API authorization
Phase 4: Input Validation
Skills to Invoke
api-fuzzing-bug-bounty- API fuzzingsql-injection-testing- Injection testing
Actions
- Test parameter validation
- Test SQL injection
- Test NoSQL injection
- Test command injection
- Test XXE injection
Copy-Paste Prompts
Use @api-fuzzing-bug-bounty to fuzz API parameters
Phase 5: Rate Limiting
Skills to Invoke
api-security-best-practices- Rate limiting
Actions
- Test rate limit headers
- Test brute force protection
- Test resource exhaustion
- Test bypass techniques
- Document limitations
Copy-Paste Prompts
Use @api-security-best-practices to test rate limiting
Phase 6: GraphQL Testing
Skills to Invoke
api-fuzzing-bug-bounty- GraphQL fuzzing
Actions
- Test introspection
- Test query depth
- Test query complexity
- Test batch queries
- Test field suggestions
Copy-Paste Prompts
Use @api-fuzzing-bug-bounty to test GraphQL security
Phase 7: Error Handling
Skills to Invoke
api-security-best-practices- Error handling
Actions
- Test error messages
- Check information disclosure
- Test stack traces
- Verify logging
- Document findings
Copy-Paste Prompts
Use @api-security-best-practices to audit API error handling
API Security Checklist
- [ ] Authentication working
- [ ] Authorization enforced
- [ ] Input validated
- [ ] Rate limiting active
- [ ] Errors sanitized
- [ ] Logging enabled
- [ ] CORS configured
- [ ] HTTPS enforced
Quality Gates
- [ ] All endpoints tested
- [ ] Vulnerabilities documented
- [ ] Remediation provided
- [ ] Report generated
Related Workflow Bundles
security-audit- Security auditingweb-security-testing- Web securityapi-development- API development
Related Skills
zaid-gd/asana-automation
tools
VerifiedTrustedCommunity
Automate Asana tasks via Rube MCP (Composio): tasks, projects, sections, teams, workspaces. Always search tools first for current schemas.
1SKILL.mdUpdated Apr 16, 2026
zaid-gd/arm-cortex-expert
development
VerifiedTrustedCommunity
Senior embedded software engineer specializing in firmware and driver development for ARM Cortex-M microcontrollers (Teensy, STM32, nRF52, SAMD).
1SKILL.mdUpdated Apr 16, 2026
zaid-gd/architecture
development
VerifiedTrustedCommunity
Architectural decision-making framework. Requirements analysis, trade-off evaluation, ADR documentation. Use when making architecture decisions or analyzing system design.
1SKILL.mdUpdated Apr 16, 2026
zaid-gd/architecture-patterns
development
VerifiedTrustedCommunity
Implement proven backend architecture patterns including Clean Architecture, Hexagonal Architecture, and Domain-Driven Design. Use when architecting complex backend systems or refactoring existing ...
1SKILL.mdUpdated Apr 16, 2026