pentest-api-attacker
Test APIs against OWASP API Security Top 10 including discovery, auth abuse, and protocol-specific checks.
About this skill
The `pentest-api-attacker` skill enables AI agents to conduct comprehensive security assessments of Application Programming Interfaces (APIs). It systematically tests APIs for vulnerabilities outlined in the OWASP API Security Top 10, covering crucial areas such as endpoint discovery, authentication and authorization bypasses, and various protocol-specific attack vectors. The skill adheres to established security standards like PTES, OWASP WSTG, NIST SP 800-115, and MITRE ATT&CK. This skill is invaluable for security professionals, ethical hackers, and development teams aiming to enhance the security posture of their APIs. It helps identify and remediate security flaws proactively, integrate automated security testing into CI/CD pipelines, and ensure compliance with industry best practices before deployment or during ongoing operations. Key features include strict scope validation, generation of reproducible Proof-of-Concept (PoC) notes, and the ability to operate in a dry-run mode for planning, requiring explicit authorization for live execution. The skill produces structured outputs, including discovered endpoints, detailed findings, and an attack report, facilitating downstream analysis and remediation efforts.
Best use case
The primary use case is automating the reconnaissance and vulnerability assessment phases of API penetration testing. This benefits security engineers, ethical hackers, and DevOps teams who need to integrate consistent, automated security checks into their API development and deployment workflows, ensuring APIs are robust against common and critical attack patterns.
Test APIs against OWASP API Security Top 10 including discovery, auth abuse, and protocol-specific checks.
Users should expect a detailed, standardized report including discovered API endpoints, identified security findings with reproducible Proof-of-Concept notes, and a consolidated attack report in JSON format.
Practical example
Example input
Run a full OWASP Top 10 API security test against the target API at `https://api.mycompany.com`, using the pre-defined scope in `my_scope.json`. Output all findings to `api_findings.json` and generate a complete `api_attack_report.json`.
Example output
API security assessment completed for `https://api.mycompany.com`. Discovered 25 endpoints. Found 4 critical vulnerabilities (BOLA, BFLA, Excessive Data Exposure, Unrestricted Resource Consumption) and 7 medium-severity findings. Findings are detailed in `api_findings.json` and a summary report is available in `api_attack_report.json`.
When to use this skill
- When performing an API security audit against the OWASP Top 10.
- During the testing and QA phase of API development to identify vulnerabilities early.
- For continuous security monitoring of deployed APIs in production.
- As part of a penetration testing engagement, with explicit written authorization.
When not to use this skill
- Without explicit, written authorization from the target API owner.
- For purely functional testing; this skill focuses solely on security vulnerabilities.
- Against production systems without careful planning and risk assessment.
- If the legal and ethical guidelines for penetration testing are not fully understood or met.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/pentest-api-attacker/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How pentest-api-attacker Compares
| Feature / Agent | pentest-api-attacker | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | medium | N/A |
Frequently Asked Questions
What does this skill do?
Test APIs against OWASP API Security Top 10 including discovery, auth abuse, and protocol-specific checks.
How difficult is it to install?
The installation complexity is rated as medium. You can find the installation instructions above.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
AI Agent for Product Research
Browse AI agent skills for product research, competitive analysis, customer discovery, and structured product decision support.
Best AI Skills for ChatGPT
Find the best AI skills to adapt into ChatGPT workflows for research, writing, summarization, planning, and repeatable assistant tasks.
SKILL.md Source
# Pentest API Attacker ## Stage - PTES: 5 - MITRE: T1190 ## Objective Enumerate and test API endpoints and business logic attack vectors. ## Required Workflow 1. Validate scope before any active action and reject out-of-scope targets. 2. Run only authorized checks aligned to PTES, OWASP WSTG, NIST SP 800-115, and MITRE ATT&CK. 3. Write findings in canonical finding_schema format with reproducible PoC notes. 4. Honor dry-run mode and require explicit --i-have-authorization for live execution. 5. Export deterministic artifacts for downstream skill consumption. ## Execution ```bash python skills/pentest-api-attacker/scripts/api_attacker.py --scope scope.json --target <target> --input <path> --output <path> --format json --dry-run ``` ## Outputs - `api-endpoints.json` - `api-findings.json` - `api-attack-report.json` ## References - `references/tools.md` - `skills/autonomous-pentester/shared/scope_schema.json` - `skills/autonomous-pentester/shared/finding_schema.json` ## Legal and Ethical Notice ```text WARNING AUTHORIZED USE ONLY This skill executes real security testing tools against live targets. Use only with written authorization. ```
Related Skills
pentest-c2-operator
Set up authorized C2 simulation workflows and measure defensive detection outcomes.
pentest-auth-bypass
Test authentication and session management controls for bypass and account takeover scenarios.
pentest-active-directory
Assess Active Directory identity attack paths including roasting, relay, and delegation abuse.
nmap-pentest-scans
Plan and orchestrate authorized Nmap host discovery, port and service enumeration, NSE profiling, and reporting artifacts for in-scope targets.
HIPAA Compliance for AI Agents
Generate HIPAA compliance checklists, risk assessments, and audit frameworks for healthcare organizations deploying AI agents.
Data Governance Framework
Assess, score, and remediate your organization's data governance posture across 6 domains.
Cybersecurity Risk Assessment
You are a cybersecurity risk assessment specialist. When the user needs a security audit, threat assessment, or compliance review, follow this framework.
afrexai-cybersecurity-engine
Complete cybersecurity assessment, threat modeling, and hardening system. Use when conducting security audits, threat modeling, penetration testing, incident response, or building security programs from scratch. Works with any stack — zero external dependencies.
Compliance & Audit Readiness Engine
Your AI compliance officer. Guides startups and scale-ups through SOC 2, ISO 27001, GDPR, HIPAA, and PCI DSS — from zero to audit-ready. No consultants needed.
Compliance Audit Generator
Run internal compliance audits against major frameworks without hiring a consultant.
AI Safety Audit
Comprehensive AI safety and alignment audit framework for businesses deploying AI agents. Built around the UK AI Security Institute Alignment Project standards (2026), EU AI Act requirements, and NIST AI RMF.
clickhouse-github-forensics
Query GitHub event data via ClickHouse for supply chain investigations, actor profiling, and anomaly detection. Use when investigating GitHub-based attacks, tracking repository activity, analyzing actor behavior patterns, detecting tag/release tampering, or reconstructing incident timelines from public GitHub data. Triggers on GitHub supply chain attacks, repo compromise investigations, actor attribution, tag poisoning, or "query github events".