api-security-tester
API Security Tester
This skill performs static code analysis of REST and GraphQL API implementations for vulnerabilities mapped to the OWASP API Security Top 10:2023. It identifies 10 categories of API-specific security issues — broken authorization, authentication flaws, excessive data exposure, resource consumption abuse, SSRF, and more — across JavaScript/TypeScript (Express, Fastify, NestJS), Python (Flask, Django, FastAPI), Go (net/http, Gin), and Java (Spring Boot). Each finding is mapped to CWE and OWASP API Top 10:2023 standards with UNSAFE/SAFE code pairs for remediation.
When to Use
- When the user asks to "audit API security", "review API endpoints", or "check for API vulnerabilities"
- When the user mentions "OWASP API Top 10", "BOLA", "broken authorization", or "API authentication issues"
- When reviewing REST API route handlers, GraphQL resolvers, or API middleware
- When a pull request modifies API authentication, authorization, or input validation logic
- When the user asks about "rate limiting", "mass assignment", "excessive data exposure", or "SSRF"
- When scanning code that defines API routes (Express
app.get, FastAPI@app.get, Spring@GetMapping, etc.) - When reviewing GraphQL schemas, resolvers, or query depth/complexity settings
When NOT to Use
More from kalshamsi/claude-security-skills
pci-dss-audit
Use when auditing code for PCI-DSS v4.0 compliance, reviewing cardholder data handling, checking credit-card storage and transmission, hunting PAN logging, or answering \"is this code PCI-compliant?\".
2socket-sca
Supply chain analysis via Socket.dev CLI. Use when asked to scan dependencies for supply chain risks, run Socket SCA, audit npm/pip packages, detect typosquatting, or find malicious dependencies.
2crypto-audit
Use when reviewing code for weak encryption, hardcoded cryptographic keys, insecure TLS/SSL configuration, broken hashing, bad randomness, or any cryptographic implementation concern — regardless of language.
2bandit-sast
Use when scanning Python code for security vulnerabilities, running Bandit, performing Python SAST, auditing Python security bugs, or reviewing Python source for injection, weak crypto, or insecure deserialization.
2security-headers-audit
Use when reviewing HTTP security headers, checking a Content-Security-Policy, auditing CORS or HSTS configuration, evaluating X-Frame-Options or Permissions-Policy, inspecting header middleware, or hardening a web application's response headers.
2devsecops-pipeline
Generate GitHub Actions security CI/CD pipelines. Use when asked to generate security pipeline, DevSecOps workflow, CI/CD security, GitHub Actions security, create security workflow, add security scanning to CI, or set up automated security checks.
2