Stats
Actions
Tags
From x-skills
Use when the user provides an OpenAPI or Swagger spec and asks to find security issues, pentest the API, audit endpoints for OWASP API Top 10, or check for BOLA, BFLA, mass assignment, injection, or SSRF vulnerabilities in a running HTTP API
How this skill is triggered — by the user, by Claude, or both
Slash command
/x-skills:x-api-pentestThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Black-box dynamic security testing of a live HTTP API using its OpenAPI/Swagger spec as the attack surface map. Orchestrates Schemathesis, RESTler, Nuclei, sqlmap, and interactsh, with Claude reasoning over findings to catch business-logic flaws.
config.jsongotchas.mdreferences/auth-recipes.mdreferences/bola-bfla-playbook.mdreferences/llm-injection-patterns.mdreferences/owasp-api-top10-2023.mdreferences/related-skills.mdreferences/safe-execution.mdreferences/sarif-schema.mdreferences/tool-invocations.mdsteps/step-01-recon.mdsteps/step-02-auth-baseline.mdsteps/step-03-automated-sweep.mdsteps/step-04-targeted-tests.mdsteps/step-05-synthesize.mdsteps/step-06-report.mdtemplates/finding.md.tmpltemplates/report.sarif.tmplBlack-box dynamic security testing of a live HTTP API using its OpenAPI/Swagger spec as the attack surface map. Orchestrates Schemathesis, RESTler, Nuclei, sqlmap, and interactsh, with Claude reasoning over findings to catch business-logic flaws.
MANDATORY first step — do this BEFORE anything else:
0. Pin capabilities for the session per ../x-shared/capability-loading.md. Use the security_tools block (schemathesis, nuclei, sqlmap, spectral, interactsh) to skip lanes whose CLIs are unavailable rather than failing mid-step.
config.json to load tool paths, default flags, safety gates (safety.require_target_confirmation, safety.allowed_target_patterns, safety.denied_target_patterns, rate caps, per-oracle toggles).gotchas.md — known failure patterns and the Noise Filters section (patterns that must NOT be emitted as findings).references/safe-execution.md — target allowlist, sandboxing, credential isolation.safety.require_target_confirmation is true, ASK: "Confirm you are authorized to test <target_url>. Type the URL to proceed."This skill issues live HTTP requests including blind re-verification of each finding. Unsandboxed against the wrong target = production incident. Before proceeding:
safety.allowed_target_patterns (localhost, RFC1918, *.staging.*, *.test.*, *.local). Override requires allow_unsafe_target=true + user confirmation.internal: true, cap_drop: ALL, no-new-privileges). Template in references/safe-execution.md.DOES: dynamic black-box testing, OWASP API Top 10 (2023), BOLA / BFLA / mass assignment / SSRF / injection / rate-limit / business logic, markdown + SARIF output.
DOES NOT: static code review (→ ck-security, code-review), secret/dependency scanning (→ security-scan), network/infra pentest, social engineering, unauthorized testing.
api-security — Transience is bug-bounty / recon-driven. This skill is OpenAPI/Swagger-spec driven — hand it a spec, it systematically pentests every documented endpoint.config.integrations.prefer_hexstrike: true, else direct CLI.See references/related-skills.md for full comparison.
This skill uses sequential steps. Load ONE step file at a time. Complete each before proceeding.
steps/step-01-recon.md — spec lint, attack surface, role mapping, consent gatesteps/step-02-auth-baseline.md — validate 2 user tokens + admin tokensteps/step-03-automated-sweep.md — parallel Schemathesis + RESTler (opt-in) + Nucleisteps/step-04-targeted-tests.md — BOLA/BFLA, mass assignment, SSRF, velocity, business logic, LLM injectionsteps/step-05-synthesize.md — dedupe, severity, chain-impact reasoningsteps/step-06-report.md — markdown + SARIF, handoffStart with step 1 now.
This skill extends the canonical x-skills severity scale (../x-shared/severity-guide.md — CRITICAL / HIGH / MEDIUM / LOW) with an additional Info tier for non-actionable findings (informational / advisory only — never blocks merge). Casing follows CVSS-lite convention (Title-case: Critical / High / Medium / Low / Info) inside this skill's outputs because findings flow into SARIF (references/sarif-schema.md) and CVSS reporting tools that expect Title-case labels. When findings cross over into a generic x-skills review pipeline, map: Title-case → UPPER-case, Info → LOW.
Detail: references/owasp-api-top10-2023.md.
Loaded ONLY when needed by a step:
references/owasp-api-top10-2023.md — risk catalog with detection oraclesreferences/tool-invocations.md — exact CLI invocations with auth handlingreferences/auth-recipes.md — OAuth2/JWT/API-key/refresh patternsreferences/bola-bfla-playbook.md — two-user matrix algorithmreferences/sarif-schema.md — SARIF 2.1.0 output formatreferences/related-skills.md — when to use this vs Transience / HexStrike / Pwnkit / OWASPreferences/safe-execution.md — target allowlist, sandboxing, creds (read during bootstrap)references/llm-injection-patterns.md — Oracle G payload library (loaded by step-04 only if LLM endpoints detected)safety.allowed_target_patterns without allow_unsafe_target=true*.gov / *.mil or any denied patterngotchas.mdSee gotchas.md — update when you encounter new ones.
Task: {{ARGUMENTS}}
Provides CDSS development patterns for drug interaction checking, dose validation, clinical scoring (NEWS2, qSOFA), and alert classification integrated into EMR workflows.
npx claudepluginhub quangtran88/x-skills --plugin x-skills