API Attack Surface Mapper

When To Use

Use this skill when you need high coverage before exploitation.

When Not To Use

Do not use this as a replacement for exploit confirmation. It is a discovery and planning skill.

Required Inputs

• target_base_url
• api_spec_source (OpenAPI URL/file, Postman collection, or captured traffic)
• auth_context (token types, role accounts, session rules)
• scope_rules (in-scope services, forbidden actions)

Optional Inputs

• known_business_flows
• environment_limits (rate limits, test windows)
• seed_ids (known object identifiers)