api-sec
Entry P1 category router for API security. Use when choosing between API recon, authorization, token abuse, and hidden-parameter workflows before any deeper API topic skill.
How do I install this agent skill?
npx skills add https://github.com/yaklang/hack-skills --skill api-secIs this agent skill safe to install?
- Gen Agent Trust Hubpass
This skill is a purely informational router for API security workflows. It contains no executable code or external dependencies and serves to guide the agent to other specialized skills.
- Socketpass
No alerts
- Snykpass
Risk: LOW · No issues
- ZeroLeakspass
Score: 93/100 · 2 sections analyzed
What does this agent skill do?
API Security Router
This is the routing entry point for API security testing.
Use this skill first to decide whether the API issue is mostly recon/docs, object authorization, token trust, or GraphQL/hidden parameters, then route to a deeper topic skill.
When to Use
- The target exposes REST APIs, mobile backends, or GraphQL endpoints
- You need to define API testing order before going into specific topics
- You want to handle object authorization, JWT, GraphQL, and hidden fields as separate tracks
Skill Map
- API Recon and Docs: OpenAPI, Swagger, version drift, hidden documentation
- API Authorization and BOLA: BOLA, BFLA, method abuse, hidden writable fields
- API Auth and JWT Abuse: bearer token, header trust, claim abuse, rate-limit bypass
- GraphQL and Hidden Parameters: introspection, batching, undocumented fields, hidden parameters
Quick Triage
| Observation | Route |
|---|---|
| Swagger or OpenAPI is present | api-recon-and-docs |
| IDs appear in URL, JSON, headers, or GraphQL args | api-authorization-and-bola |
| JWT token visible in traffic | api-auth-and-jwt-abuse |
/graphql or batched JSON arrays are present | graphql-and-hidden-parameters |
| Registration, login, or profile updates accept extra fields | api-authorization-and-bola then api-auth-and-jwt-abuse |
Recommended Flow
- Start with exposed endpoints and documentation assets
- Then evaluate object-level and function-level authorization
- Then evaluate token, header, signature, and rate-limit boundaries
- If GraphQL or complex JSON is present, continue with hidden fields and schema abuse
Related Categories
How can the creator link this skill?
Add the canonical catalog link to the repository README so users can inspect current installs and available audits. The publishing guide covers the complete discovery path.
<a href="https://skillzs.dev/skills/yaklang/hack-skills/api-sec">View api-sec on skillZs</a>