PluginBench
Skill
Pass
Audit score 90

api-sec

yaklang/hack-skills

How to install api-sec

npx skills add https://github.com/yaklang/hack-skills --skill api-sec
Claude Code
Cursor
Windsurf
Cline
Full instructions (SKILL.md)

Source of truth, from yaklang/hack-skills.


name: api-sec description: >- Entry P1 category router for API security. Use when choosing between API recon, authorization, token abuse, and hidden-parameter workflows before any deeper API topic skill.

API Security Router

This is the routing entry point for API security testing.

Use this skill first to decide whether the API issue is mostly recon/docs, object authorization, token trust, or GraphQL/hidden parameters, then route to a deeper topic skill.

When to Use

  • The target exposes REST APIs, mobile backends, or GraphQL endpoints
  • You need to define API testing order before going into specific topics
  • You want to handle object authorization, JWT, GraphQL, and hidden fields as separate tracks

Skill Map

Quick Triage

ObservationRoute
Swagger or OpenAPI is presentapi-recon-and-docs
IDs appear in URL, JSON, headers, or GraphQL argsapi-authorization-and-bola
JWT token visible in trafficapi-auth-and-jwt-abuse
/graphql or batched JSON arrays are presentgraphql-and-hidden-parameters
Registration, login, or profile updates accept extra fieldsapi-authorization-and-bola then api-auth-and-jwt-abuse

Recommended Flow

  1. Start with exposed endpoints and documentation assets
  2. Then evaluate object-level and function-level authorization
  3. Then evaluate token, header, signature, and rate-limit boundaries
  4. If GraphQL or complex JSON is present, continue with hidden fields and schema abuse

Related Categories