{"id":"6a8b6a8d-3f61-4705-9c31-7aaba59e6a9b","shortId":"6ExKmX","kind":"skill","title":"api-security-testing","tagline":"API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.","description":"# API Security Testing Workflow\n\n## Overview\n\nSpecialized workflow for testing REST and GraphQL API security including authentication, authorization, rate limiting, input validation, and API-specific vulnerabilities.\n\n## When to Use This Workflow\n\nUse this workflow when:\n- Testing REST API security\n- Assessing GraphQL endpoints\n- Validating API authentication\n- Testing API rate limiting\n- Bug bounty API testing\n\n## Workflow Phases\n\n### Phase 1: API Discovery\n\n#### Skills to Invoke\n- `api-fuzzing-bug-bounty` - API fuzzing\n- `scanning-tools` - API scanning\n\n#### Actions\n1. Enumerate endpoints\n2. Document API methods\n3. Identify parameters\n4. Map data flows\n5. Review documentation\n\n#### Copy-Paste Prompts\n```\nUse @api-fuzzing-bug-bounty to discover API endpoints\n```\n\n### Phase 2: Authentication Testing\n\n#### Skills to Invoke\n- `broken-authentication` - Auth testing\n- `api-security-best-practices` - API auth\n\n#### Actions\n1. Test API key validation\n2. Test JWT tokens\n3. Test OAuth2 flows\n4. Test token expiration\n5. Test refresh tokens\n\n#### Copy-Paste Prompts\n```\nUse @broken-authentication to test API authentication\n```\n\n### Phase 3: Authorization Testing\n\n#### Skills to Invoke\n- `idor-testing` - IDOR testing\n\n#### Actions\n1. Test object-level authorization\n2. Test function-level authorization\n3. Test role-based access\n4. Test privilege escalation\n5. Test multi-tenant isolation\n\n#### Copy-Paste Prompts\n```\nUse @idor-testing to test API authorization\n```\n\n### Phase 4: Input Validation\n\n#### Skills to Invoke\n- `api-fuzzing-bug-bounty` - API fuzzing\n- `sql-injection-testing` - Injection testing\n\n#### Actions\n1. Test parameter validation\n2. Test SQL injection\n3. Test NoSQL injection\n4. Test command injection\n5. Test XXE injection\n\n#### Copy-Paste Prompts\n```\nUse @api-fuzzing-bug-bounty to fuzz API parameters\n```\n\n### Phase 5: Rate Limiting\n\n#### Skills to Invoke\n- `api-security-best-practices` - Rate limiting\n\n#### Actions\n1. Test rate limit headers\n2. Test brute force protection\n3. Test resource exhaustion\n4. Test bypass techniques\n5. Document limitations\n\n#### Copy-Paste Prompts\n```\nUse @api-security-best-practices to test rate limiting\n```\n\n### Phase 6: GraphQL Testing\n\n#### Skills to Invoke\n- `api-fuzzing-bug-bounty` - GraphQL fuzzing\n\n#### Actions\n1. Test introspection\n2. Test query depth\n3. Test query complexity\n4. Test batch queries\n5. Test field suggestions\n\n#### Copy-Paste Prompts\n```\nUse @api-fuzzing-bug-bounty to test GraphQL security\n```\n\n### Phase 7: Error Handling\n\n#### Skills to Invoke\n- `api-security-best-practices` - Error handling\n\n#### Actions\n1. Test error messages\n2. Check information disclosure\n3. Test stack traces\n4. Verify logging\n5. Document findings\n\n#### Copy-Paste Prompts\n```\nUse @api-security-best-practices to audit API error handling\n```\n\n## API Security Checklist\n\n- [ ] Authentication working\n- [ ] Authorization enforced\n- [ ] Input validated\n- [ ] Rate limiting active\n- [ ] Errors sanitized\n- [ ] Logging enabled\n- [ ] CORS configured\n- [ ] HTTPS enforced\n\n## Quality Gates\n\n- [ ] All endpoints tested\n- [ ] Vulnerabilities documented\n- [ ] Remediation provided\n- [ ] Report generated\n\n## Related Workflow Bundles\n\n- `security-audit` - Security auditing\n- `web-security-testing` - Web security\n- `api-development` - API development\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.","tags":["api","security","testing","antigravity","awesome","skills","sickn33","agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding"],"capabilities":["skill","source-sickn33","skill-api-security-testing","topic-agent-skills","topic-agentic-skills","topic-ai-agent-skills","topic-ai-agents","topic-ai-coding","topic-ai-workflows","topic-antigravity","topic-antigravity-skills","topic-claude-code","topic-claude-code-skills","topic-codex-cli","topic-codex-skills"],"categories":["antigravity-awesome-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/sickn33/antigravity-awesome-skills/api-security-testing","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add sickn33/antigravity-awesome-skills","source_repo":"https://github.com/sickn33/antigravity-awesome-skills","install_from":"skills.sh"}},"qualityScore":"0.700","qualityRationale":"deterministic score 0.70 from registry signals: · indexed on github topic:agent-skills · 34964 github stars · SKILL.md body (3,627 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-25T00:50:27.086Z","embedding":null,"createdAt":"2026-04-18T21:31:10.884Z","updatedAt":"2026-04-25T00:50:27.086Z","lastSeenAt":"2026-04-25T00:50:27.086Z","tsv":"'1':81,100,151,197,258,307,357,405 '2':103,132,156,203,262,312,360,409 '3':107,160,185,209,266,317,364,413 '4':110,164,215,238,270,321,368,417 '5':114,168,219,274,293,325,372,420 '6':343 '7':391 'access':214 'action':99,150,196,257,306,356,404 'activ':449 'api':2,5,13,25,37,48,62,68,71,76,82,88,92,97,105,123,129,144,148,153,182,235,245,249,284,290,300,334,350,382,398,429,435,438,484,486 'api-develop':483 'api-fuzzing-bug-bounti':87,122,244,283,349,381 'api-security-best-practic':143,299,333,397,428 'api-security-test':1 'api-specif':47 'ask':521 'assess':64 'audit':434,474,476 'auth':141,149 'authent':15,40,69,133,140,179,183,441 'author':16,41,186,202,208,236,443 'base':213 'batch':370 'best':23,146,302,336,400,431 'boundari':529 'bounti':75,91,126,248,287,353,385 'broken':139,178 'broken-authent':138,177 'brute':314 'bug':74,90,125,247,286,352,384 'bundl':471 'bypass':323 'check':410 'checklist':440 'clarif':523 'clear':496 'command':272 'complex':367 'configur':455 'copi':118,173,226,279,329,377,424 'copy-past':117,172,225,278,328,376,423 'cor':454 'cover':14 'criteria':532 'data':112 'depth':363 'describ':500 'develop':485,487 'disclosur':412 'discov':128 'discoveri':83 'document':104,116,326,421,464 'enabl':453 'endpoint':66,102,130,461 'enforc':444,457 'enumer':101 'environ':512 'environment-specif':511 'error':392,402,407,436,450 'escal':218 'exhaust':320 'expert':517 'expir':167 'field':374 'find':422 'flow':113,163 'forc':315 'function':206 'function-level':205 'fuzz':89,93,124,246,250,285,289,351,355,383 'gate':459 'generat':468 'graphql':12,36,65,344,354,388 'handl':393,403,437 'header':311 'https':456 'identifi':108 'idor':192,194,231 'idor-test':191,230 'includ':39 'inform':411 'inject':253,255,265,269,273,277 'input':19,44,239,445,526 'introspect':359 'invok':86,137,190,243,298,348,396 'isol':224 'jwt':158 'key':154 'level':201,207 'limit':18,43,73,295,305,310,327,341,448,488 'log':419,452 'map':111 'match':497 'messag':408 'method':106 'miss':534 'multi':222 'multi-ten':221 'nosql':268 'oauth2':162 'object':200 'object-level':199 'output':506 'overview':29 'paramet':109,260,291 'past':119,174,227,280,330,378,425 'permiss':527 'phase':79,80,131,184,237,292,342,390 'practic':24,147,303,337,401,432 'privileg':217 'prompt':120,175,228,281,331,379,426 'protect':316 'provid':466 'qualiti':458 'queri':362,366,371 'rate':17,42,72,294,304,309,340,447 'refresh':170 'relat':469 'remedi':465 'report':467 'requir':525 'resourc':319 'rest':10,34,61 'review':115,518 'role':212 'role-bas':211 'safeti':528 'sanit':451 'scan':95,98 'scanning-tool':94 'scope':499 'secur':3,6,22,26,38,63,145,301,335,389,399,430,439,473,475,479,482 'security-audit':472 'skill':84,135,188,241,296,346,394,491 'skill-api-security-testing' 'source-sickn33' 'special':30 'specif':49,513 'sql':252,264 'sql-injection-test':251 'stack':415 'stop':519 'substitut':509 'success':531 'suggest':375 'task':495 'techniqu':324 'tenant':223 'test':4,7,27,33,60,70,77,134,142,152,157,161,165,169,181,187,193,195,198,204,210,216,220,232,234,254,256,259,263,267,271,275,308,313,318,322,339,345,358,361,365,369,373,387,406,414,462,480,515 'token':159,166,171 'tool':96 'topic-agent-skills' 'topic-agentic-skills' 'topic-ai-agent-skills' 'topic-ai-agents' 'topic-ai-coding' 'topic-ai-workflows' 'topic-antigravity' 'topic-antigravity-skills' 'topic-claude-code' 'topic-claude-code-skills' 'topic-codex-cli' 'topic-codex-skills' 'trace':416 'treat':504 'use':53,56,121,176,229,282,332,380,427,489 'valid':20,45,67,155,240,261,446,514 'verifi':418 'vulner':50,463 'web':478,481 'web-security-test':477 'work':442 'workflow':8,28,31,55,58,78,470 'xxe':276","prices":[{"id":"c9fa68e7-db20-4a08-a803-f07eb24fbca6","listingId":"6a8b6a8d-3f61-4705-9c31-7aaba59e6a9b","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"sickn33","category":"antigravity-awesome-skills","install_from":"skills.sh"},"createdAt":"2026-04-18T21:31:10.884Z"}],"sources":[{"listingId":"6a8b6a8d-3f61-4705-9c31-7aaba59e6a9b","source":"github","sourceId":"sickn33/antigravity-awesome-skills/api-security-testing","sourceUrl":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/api-security-testing","isPrimary":false,"firstSeenAt":"2026-04-18T21:31:10.884Z","lastSeenAt":"2026-04-25T00:50:27.086Z"}],"details":{"listingId":"6a8b6a8d-3f61-4705-9c31-7aaba59e6a9b","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"sickn33","slug":"api-security-testing","github":{"repo":"sickn33/antigravity-awesome-skills","stars":34964,"topics":["agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding","ai-workflows","antigravity","antigravity-skills","claude-code","claude-code-skills","codex-cli","codex-skills","cursor","cursor-skills","developer-tools","gemini-cli","gemini-skills","kiro","mcp","skill-library"],"license":"mit","html_url":"https://github.com/sickn33/antigravity-awesome-skills","pushed_at":"2026-04-24T06:41:17Z","description":"Installable GitHub library of 1,400+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.","skill_md_sha":"0025fa29925f7f914c6e1fd71effa5a040e5e2ed","skill_md_path":"skills/api-security-testing/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/api-security-testing"},"layout":"multi","source":"github","category":"antigravity-awesome-skills","frontmatter":{"name":"api-security-testing","description":"API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices."},"skills_sh_url":"https://skills.sh/sickn33/antigravity-awesome-skills/api-security-testing"},"updatedAt":"2026-04-25T00:50:27.086Z"}}