MR
Mayur Rathi
@mayurrathi
⭐ 40.7k GitHub stars

Api Security Testing

Api Security Testing is an code AI skill with a core value of API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices. It helps developers solve real-world problems in the code domain, boosting efficiency, automating repetitive tasks, and optimizing workflows.

API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.

Last verified on: 2026-07-07

Quick Facts

Category code
Works With Claude
Source sickn33/antigravity-awesome-skills
Stars ⭐ 40.7k
Last Verified 2026-07-07
Risk Level High
mkdir -p ./skills/api-security-testing && curl -sfL https://raw.githubusercontent.com/sickn33/antigravity-awesome-skills/main/skills/api-security-testing/SKILL.md -o ./skills/api-security-testing/SKILL.md

Run in terminal / PowerShell. Requires curl (Unix) or PowerShell 5+ (Windows).

Skill Content

# API Security Testing Workflow


Overview


Specialized workflow for testing REST and GraphQL API security including authentication, authorization, rate limiting, input validation, and API-specific vulnerabilities.


When to Use This Workflow


Use this workflow when:

- Testing REST API security

- Assessing GraphQL endpoints

- Validating API authentication

- Testing API rate limiting

- Bug bounty API testing


Workflow Phases


Phase 1: API Discovery


#### Skills to Invoke

- `api-fuzzing-bug-bounty` - API fuzzing

- `scanning-tools` - API scanning


#### Actions

1. Enumerate endpoints

2. Document API methods

3. Identify parameters

4. Map data flows

5. Review documentation


#### Copy-Paste Prompts

text
Use @api-fuzzing-bug-bounty to discover API endpoints

Phase 2: Authentication Testing


#### Skills to Invoke

- `broken-authentication` - Auth testing

- `api-security-best-practices` - API auth


#### Actions

1. Test API key validation

2. Test JWT tokens

3. Test OAuth2 flows

4. Test token expiration

5. Test refresh tokens


#### Copy-Paste Prompts

text
Use @broken-authentication to test API authentication

Phase 3: Authorization Testing


#### Skills to Invoke

- `idor-testing` - IDOR testing


#### Actions

1. Test object-level authorization

2. Test function-level authorization

3. Test role-based access

4. Test privilege escalation

5. Test multi-tenant isolation


#### Copy-Paste Prompts

text
Use @idor-testing to test API authorization

Phase 4: Input Validation


#### Skills to Invoke

- `api-fuzzing-bug-bounty` - API fuzzing

- `sql-injection-testing` - Injection testing


#### Actions

1. Test parameter validation

2. Test SQL injection

3. Test NoSQL injection

4. Test command injection

5. Test XXE injection


#### Copy-Paste Prompts

text
Use @api-fuzzing-bug-bounty to fuzz API parameters

Phase 5: Rate Limiting


#### Skills to Invoke

- `api-security-best-practices` - Rate limiting


#### Actions

1. Test rate limit headers

2. Test brute force protection

3. Test resource exhaustion

4. Test bypass techniques

5. Document limitations


#### Copy-Paste Prompts

text
Use @api-security-best-practices to test rate limiting

Phase 6: GraphQL Testing


#### Skills to Invoke

- `api-fuzzing-bug-bounty` - GraphQL fuzzing


#### Actions

1. Test introspection

2. Test query depth

3. Test query complexity

4. Test batch queries

5. Test field suggestions


#### Copy-Paste Prompts

text
Use @api-fuzzing-bug-bounty to test GraphQL security

Phase 7: Error Handling


#### Skills to Invoke

- `api-security-best-practices` - Error handling


#### Actions

1. Test error messages

2. Check information disclosure

3. Test stack traces

4. Verify logging

5. Document findings


#### Copy-Paste Prompts

text
Use @api-security-best-practices to audit API error handling

API Security Checklist


- [ ] Authentication working

- [ ] Authorization enforced

- [ ] Input validated

- [ ] Rate limiting active

- [ ] Errors sanitized

- [ ] Logging enabled

- [ ] CORS configured

- [ ] HTTPS enforced


Quality Gates


- [ ] All endpoints tested

- [ ] Vulnerabilities documented

- [ ] Remediation provided

- [ ] Report generated


Related Workflow Bundles


- `security-audit` - Security auditing

- `web-security-testing` - Web security

- `api-development` - API development

🎯 Best For

  • Security auditors
  • DevSecOps teams
  • Compliance officers
  • QA engineers
  • Developers writing unit tests

💡 Use Cases

  • Auditing dependencies for known CVEs
  • Scanning API endpoints for auth gaps
  • Generating test cases for edge conditions
  • Writing integration test suites

📖 How to Use This Skill

  1. 1

    Install the Skill

    Copy the install command from the Terminal tab and run it. The SKILL.md file downloads to your local skills directory.

  2. 2

    Load into Your AI Assistant

    Open Claude and reference the skill. Paste the SKILL.md content or use the system prompt tab.

  3. 3

    Apply Api Security Testing to Your Work

    Open your project in the AI assistant and ask it to apply the skill. Start with a small module to verify the output quality.

  4. 4

    Review and Refine

    Review AI suggestions before committing. Run tests, check for regressions, and iterate on the skill output.

❓ Frequently Asked Questions

Can this replace a dedicated SAST tool?

AI-based security review is complementary to SAST tools. Use it as a first-pass filter, not a replacement.

Does this generate test mocks?

Many testing skills include mock generation. Check the install command and skill content for details.

Is Api Security Testing compatible with Cursor and VS Code?

Yes — this skill works with any AI coding assistant including Cursor, VS Code with Copilot, and JetBrains IDEs.

Do I need specific dependencies for Api Security Testing?

Check the install command and Works With section. Most code skills only require the AI assistant and your codebase.

How do I install Api Security Testing?

Copy the install command from the Terminal tab and run it. The skill downloads to ./skills/api-security-testing/SKILL.md, ready to use.

⚠️ Common Mistakes to Avoid

Only scanning surface-level issues

Deep security review requires understanding your app architecture, not just regex patterns.

Not testing edge cases

AI tends to generate happy-path tests. Manually review for boundary conditions.

Skipping validation

Always test AI-generated code changes, even for simple refactors.

Missing dependency updates

Check if the skill requires updated dependencies or new packages.

🔗 Related Skills