scanning-api-security
Detect API security vulnerabilities including injection, broken auth, and data exposure. Use when scanning APIs for security vulnerabilities. Trigger with phrases like "scan API security", "check for vulnerabilities", or "audit API security".
Best use case
scanning-api-security is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Detect API security vulnerabilities including injection, broken auth, and data exposure. Use when scanning APIs for security vulnerabilities. Trigger with phrases like "scan API security", "check for vulnerabilities", or "audit API security".
Teams using scanning-api-security should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/scanning-api-security/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How scanning-api-security Compares
| Feature / Agent | scanning-api-security | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Detect API security vulnerabilities including injection, broken auth, and data exposure. Use when scanning APIs for security vulnerabilities. Trigger with phrases like "scan API security", "check for vulnerabilities", or "audit API security".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Scanning API Security
## Overview
Detect API security vulnerabilities by scanning endpoint implementations, authentication flows, and data handling against the OWASP API Security Top 10. Identify injection vectors, broken authentication, excessive data exposure, mass assignment, and missing rate limiting through static analysis of route handlers, middleware chains, and request validation logic.
## Prerequisites
- API source code with route definitions and controller/handler implementations accessible
- OpenAPI specification for cross-referencing documented vs. implemented security controls
- OWASP API Security Top 10 (2023) checklist familiarity
- Security scanning tools: OWASP ZAP, Burp Suite, or `nuclei` for dynamic testing
- Dependency vulnerability scanner: `npm audit`, `safety` (Python), or `govulncheck`
## Instructions
1. Scan all route definitions using Grep to build a complete inventory of endpoints, HTTP methods, and middleware chains applied to each route.
2. Audit authentication middleware to verify every mutation endpoint (POST, PUT, PATCH, DELETE) has auth enforcement and that no endpoints accidentally bypass auth through route ordering.
3. Check for Broken Object Level Authorization (BOLA) by verifying that resource access checks compare the authenticated user's ID/role against the requested resource ownership, not just valid authentication.
4. Identify excessive data exposure by comparing response serialization against API contracts -- flag endpoints returning full database records instead of explicit field whitelists.
5. Detect mass assignment vulnerabilities by checking whether request bodies are passed directly to ORM `create`/`update` calls without field-level allowlisting.
6. Verify input validation exists on all request parameters, query strings, headers, and body fields, checking for SQL injection, NoSQL injection, and command injection patterns.
7. Audit rate limiting configuration to ensure all public-facing and authentication endpoints have per-IP and per-user rate limits applied.
8. Check security headers (CORS, CSP, HSTS, X-Content-Type-Options) and verify CORS `Access-Control-Allow-Origin` is not set to wildcard `*` on authenticated endpoints.
9. Scan dependencies for known CVEs and generate a prioritized remediation report with severity ratings and fix recommendations.
See `${CLAUDE_SKILL_DIR}/references/implementation.md` for the full implementation guide.
## Output
- `${CLAUDE_SKILL_DIR}/reports/security-scan.json` - Machine-readable vulnerability report with severity ratings
- `${CLAUDE_SKILL_DIR}/reports/security-scan.md` - Human-readable report with remediation guidance
- `${CLAUDE_SKILL_DIR}/reports/endpoint-auth-matrix.md` - Endpoint-to-auth-middleware mapping table
- `${CLAUDE_SKILL_DIR}/reports/data-exposure-audit.md` - Fields returned vs. fields documented per endpoint
- Inline code comments marking identified vulnerabilities with `// SECURITY:` annotations
## Error Handling
| Error | Cause | Solution |
|-------|-------|----------|
| False positive on auth bypass | Route uses custom auth decorator not recognized by scanner | Add custom auth patterns to scanner configuration; document non-standard auth middleware |
| BOLA not detected | Authorization check exists but uses flawed comparison logic | Manually review ownership checks; verify tenant isolation in multi-tenant queries |
| Injection false negative | Parameterized queries mask injection in string-built sub-queries | Scan for raw SQL concatenation patterns alongside ORM usage; check dynamic query builders |
| CORS misconfiguration missed | CORS configured at reverse proxy level, not in application code | Extend scan to include nginx/Apache config files and cloud provider CORS settings |
| Dependency scan timeout | Large dependency tree with many transitive dependencies | Run dependency scan in parallel; cache vulnerability database locally |
Refer to `${CLAUDE_SKILL_DIR}/references/errors.md` for comprehensive error patterns.
## Examples
**OWASP Top 10 audit**: Scan a Node.js Express API against all 10 OWASP API Security categories, generating a compliance matrix showing pass/fail/warning status for each category with specific file:line references.
**Pre-deployment gate**: Integrate security scan into CI pipeline that blocks deployment if any Critical or High severity findings are detected, while allowing Medium/Low with documented exceptions.
**Authentication flow review**: Trace the complete auth flow from login through token issuance, refresh, and revocation, identifying token lifetime issues, missing refresh rotation, and insecure token storage patterns.
See `${CLAUDE_SKILL_DIR}/references/examples.md` for additional examples.
## Resources
- OWASP API Security Top 10 (2023): https://owasp.org/API-Security/
- OWASP ZAP API Scan: https://www.zaproxy.org/
- CWE/SANS Top 25 Most Dangerous Software Weaknesses
- RFC 6749 OAuth 2.0 Authorization FrameworkRelated Skills
scanning-for-xss-vulnerabilities
This skill enables Claude to automatically scan for XSS (Cross-Site Scripting) vulnerabilities in code. It is triggered when the user requests to "scan for XSS vulnerabilities", "check for XSS", or uses the command "/xss". The skill identifies reflected, stored, and DOM-based XSS vulnerabilities. It analyzes HTML, JavaScript, CSS, and URL contexts to detect potential exploits and suggests safe proof-of-concept payloads. This skill is best used during code review, security audits, and before deploying web applications to production.
checking-session-security
This skill enables Claude to check session security implementations within a codebase. It analyzes session management practices to identify potential vulnerabilities. Use this skill when a user requests to "check session security", "audit session handling", "review session implementation", or asks about "session security best practices" in their code. It helps identify issues like insecure session IDs, lack of proper session expiration, or insufficient protection against session fixation attacks. This skill leverages the session-security-checker plugin. Activates when you request "checking session security" functionality.
performing-security-testing
This skill automates security vulnerability testing. It is triggered when the user requests security assessments, penetration tests, or vulnerability scans. The skill covers OWASP Top 10 vulnerabilities, SQL injection, XSS, CSRF, authentication issues, and authorization flaws. Use this skill when the user mentions "security test", "vulnerability scan", "OWASP", "SQL injection", "XSS", "CSRF", "authentication", or "authorization" in the context of application or API testing.
performing-security-audits
This skill allows Claude to conduct comprehensive security audits of code, infrastructure, and configurations. It leverages various tools within the security-pro-pack plugin, including vulnerability scanning, compliance checking, cryptography review, and infrastructure security analysis. Use this skill when a user requests a "security audit," "vulnerability assessment," "compliance review," or any task involving identifying and mitigating security risks. It helps to ensure code and systems adhere to security best practices and compliance standards.
security-policy-generator
Security Policy Generator - Auto-activating skill for Security Advanced. Triggers on: security policy generator, security policy generator Part of the Security Advanced skill category.
finding-security-misconfigurations
This skill enables Claude to identify potential security misconfigurations in various systems and configurations. It leverages the security-misconfiguration-finder plugin to analyze infrastructure-as-code, application configurations, and system settings, pinpointing common vulnerabilities and compliance issues. Use this skill when the user asks to "find security misconfigurations", "check for security vulnerabilities in my configuration", "audit security settings", or requests a security assessment of a specific system or file. This skill will assist in identifying and remediating potential security weaknesses.
responding-to-security-incidents
Assists with security incident response, investigation, and remediation. This skill is triggered when the user requests help with incident response, mentions specific incident types (e.g., data breach, ransomware, DDoS), or uses terms like "incident response plan", "containment", "eradication", or "post-incident activity". It guides the user through the incident response lifecycle, from preparation to post-incident analysis. It is useful for classifying incidents, creating response playbooks, collecting evidence, constructing timelines, and generating remediation steps. Use this skill when needing to respond to a "security incident".
security-headers-generator
Security Headers Generator - Auto-activating skill for Security Fundamentals. Triggers on: security headers generator, security headers generator Part of the Security Fundamentals skill category.
analyzing-security-headers
This skill analyzes HTTP security headers of a given domain to identify potential vulnerabilities and misconfigurations. It provides a detailed report with a grade, score, and recommendations for improvement. Use this skill when the user asks to "analyze security headers", "check HTTP security", "scan for security vulnerabilities", or requests a "security audit" of a website. It will automatically activate when security-related keywords are used in conjunction with domain names or URLs.
security-group-generator
Security Group Generator - Auto-activating skill for AWS Skills. Triggers on: security group generator, security group generator Part of the AWS Skills skill category.
security-benchmark-runner
Security Benchmark Runner - Auto-activating skill for Security Advanced. Triggers on: security benchmark runner, security benchmark runner Part of the Security Advanced skill category.
scanning-market-movers
Detect significant price movements and unusual volume across crypto markets. Calculates significance scores combining price change, volume ratio, and market cap. Use when tracking market movers, finding gainers/losers, or detecting volume spikes. Trigger with phrases like "scan market movers", "top gainers", "biggest losers", "volume spikes", "what's moving", "find pumps", or "market scan".