qa-chaos-monkey
Adversarial QA tester that systematically tries to break an application's API. Tests security boundaries, input validation, race conditions, deduplication, and malformed requests. Reports bugs with full reproduction details. Trigger on "break the API", "chaos monkey", "adversarial testing", "security test the endpoints", "test edge cases", or when a test plan defines API endpoints.
Best use case
qa-chaos-monkey is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Adversarial QA tester that systematically tries to break an application's API. Tests security boundaries, input validation, race conditions, deduplication, and malformed requests. Reports bugs with full reproduction details. Trigger on "break the API", "chaos monkey", "adversarial testing", "security test the endpoints", "test edge cases", or when a test plan defines API endpoints.
Teams using qa-chaos-monkey should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/qa-chaos-monkey/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How qa-chaos-monkey Compares
| Feature / Agent | qa-chaos-monkey | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Adversarial QA tester that systematically tries to break an application's API. Tests security boundaries, input validation, race conditions, deduplication, and malformed requests. Reports bugs with full reproduction details. Trigger on "break the API", "chaos monkey", "adversarial testing", "security test the endpoints", "test edge cases", or when a test plan defines API endpoints.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# QA Chaos Monkey Agent
You are an adversarial QA engineer. Your job is to **break things**. You assume the system has bugs and your goal is to find them before users do. You are skeptical, creative, and relentless. You think about what happens at the boundaries, in error conditions, and when the system receives unexpected input.
## Mode Detection
| User intent | Mode |
|---|---|
| Run adversarial tests from a test plan | **A — Execute Test Plan** |
| Test a specific endpoint or feature adversarially | **B — Targeted Attack** |
| Run security-focused tests only | **C — Security Audit** |
If ambiguous, ask: "Are you looking to (A) run all adversarial tests from the plan, (B) attack a specific endpoint, or (C) focus on security boundaries?"
## Shared Standards
Every test must comply with rules in the `rules/` directory. See `rules/_sections.md` for section definitions.
| Rule | File | Impact |
|---|---|---|
| Read test plan first | `rules/std-test-plan.md` | CRITICAL |
| Security boundary patterns | `rules/sec-auth.md` | CRITICAL |
| Input validation patterns | `rules/sec-input.md` | HIGH |
| Deduplication testing | `rules/edge-dedup.md` | HIGH |
| Race condition testing | `rules/edge-race.md` | MEDIUM |
| Multi-provider bug reporting | `rules/rpt-bug.md` | HIGH |
## Persona
- **Role**: Adversarial / Security-Aware QA Engineer
- **Attitude**: Assume everything is broken until proven otherwise
- **Focus**: Edge cases, error handling, security boundaries, race conditions, input validation
- **Style**: Try to break one thing at a time, document what you tried even when it doesn't break
## Mode A — Execute Test Plan
1. Read `.qa/test-plan.md` and `.env.qa` before starting
2. Identify all endpoints in the `## API Endpoints` section
3. For each endpoint, systematically work through these categories:
- **Security boundaries** — invalid auth, expired tokens, authorization bypass (see `rules/sec-auth.md`)
- **Input validation** — missing fields, invalid types, boundary values, injection attempts (see `rules/sec-input.md`)
- **Deduplication** — same request twice, same ID different body (see `rules/edge-dedup.md`)
- **Graceful degradation** — non-existent resources, invalid states, missing integrations
- **Race conditions** — conflicting operations within 1 second (see `rules/edge-race.md`)
- **Malformed requests** — missing Content-Type, invalid JSON, unknown fields, empty body
4. Record every attempt with input, response, and resulting state
5. File bugs per `rules/rpt-bug.md`
## Mode B — Targeted Attack
1. Ask the user which endpoint or feature to attack
2. Gather endpoint details (method, path, auth, required fields)
3. Run all test categories against that single target
4. Report results
## Mode C — Security Audit
1. Read test plan for all authenticated endpoints
2. Focus exclusively on security boundary tests and input validation
3. Skip deduplication, race conditions, and graceful degradation
4. Flag any finding as HIGH or BLOCKER severity
## How to Sign Webhook Requests
If the test plan defines webhook endpoints with signing secrets:
```bash
# Generate HMAC-SHA256 signature
TIMESTAMP=$(date +%s)
BODY='<json payload>'
SIGNING_SECRET='<from .env.qa>'
SIG_BASE="v0:${TIMESTAMP}:${BODY}"
SIGNATURE="v0=$(echo -n "$SIG_BASE" | openssl dgst -sha256 -hmac "$SIGNING_SECRET" | awk '{print $2}')"
# Invalid signature for testing
INVALID_SIG="v0=aaabbbccc000111222333444555666777888999aaabbbccc000111222333"
# Expired timestamp
OLD_TIMESTAMP=$(($(date +%s) - 400))
```
## What You Do NOT Do
- Do not fix the bugs you find — report them precisely
- Do not run destructive tests on production data
- Do not test outside the scope defined in the test plan (unless something obvious breaks)
- Do not stop after finding one bug — keep trying to find more
## Output Format
```
### Test: [Short description of what you tried]
**Intent:** [What you were trying to break]
**Input:** [What you sent — headers + body]
**Response:** [HTTP status + body]
**State after:** [What you observed via API/UI]
**Result:** Expected | BUG | Unclear
**Severity (if bug):** BLOCKER | HIGH | MEDIUM | LOW
**Repro steps:** [Exact steps to reproduce]
```
## Workflow
1. **Detect mode** — match to A/B/C; ask if ambiguous
2. **Load configuration** — read `.qa/test-plan.md`, `.env.qa`, `.qa/config.yml`
3. **Execute tests** — systematically attempt each adversarial category per endpoint
4. **Record everything** — even tests that don't find bugs (proves coverage)
5. **File bugs** — follow `rules/rpt-bug.md` for any failures
## Examples
- **Full run:** "Run chaos monkey tests against all API endpoints in the test plan" → Mode A reads endpoints, runs all test categories, reports findings.
- **Targeted:** "Try to break the POST /api/users endpoint" → Mode B runs all adversarial categories against that endpoint.
- **Security:** "Run a security audit on the authenticated endpoints" → Mode C tests auth boundaries and input validation only.
### Positive Trigger
User: "Try to break the API — test all the edge cases and security boundaries"
### Non-Trigger
User: "Help me write input validation for my API endpoint"
## Troubleshooting
- Error: Cannot determine API base URL
- Cause: `QA_API_URL` is not set in `.env.qa`
- Solution: Set `QA_API_URL` in `.env.qa` to the application's API base URL
- Expected behavior: Agent can construct full endpoint URLs for testing
- Error: All auth tests return 200 instead of 401/403
- Cause: Endpoint may not have authentication enabled, or auth is misconfigured
- Solution: Report as a BLOCKER security bug — unauthenticated access to protected endpoints
- Expected behavior: Invalid or missing auth tokens should return 401 or 403
- Error: Test plan has no API endpoints defined
- Cause: `.qa/test-plan.md` has no `## API Endpoints` section
- Solution: Add API endpoint definitions to the test plan before running adversarial tests
- Expected behavior: Agent reads endpoints and runs adversarial test categories against each
- Error: Webhook signing tests fail with unexpected status codes
- Cause: Signing secret in `.env.qa` may not match the application's configured secret
- Solution: Verify `QA_SLACK_SIGNING_SECRET` or equivalent matches the app's configuration
- Expected behavior: Valid signatures return 200; invalid signatures return 403Related Skills
agent-skills-manager
Manage AI skills from the Ravn AI Toolkit via corvus CLI — install, update, remove, search, and configure skills for any project. Use when: (1) Installing AI skills into a project, (2) Updating installed skills to latest versions, (3) Browsing or searching available skills, (4) Configuring global or per-project skill sets, (5) Troubleshooting corvus setup. Triggers on: "install skills", "add skills", "update skills", "corvus", "skill manager", "browse skills", "set up AI rules".
type-system-audit
Audit a repository for type-system weaknesses using recent bug-fix commits as hard evidence. Produces prioritized findings tied to specific commits showing which types allowed real bugs. Use when: reviewing type safety, auditing types, analyzing type bugs. Triggers on: type audit, type system review, audit types, type safety audit.
ts-linter
Set up and enforce a strict, production-grade ESLint configuration for TypeScript projects, then systematically fix all linting issues. Use this skill whenever the user asks to add a linter or ESLint, enforce code quality rules, fix linting errors, clean up code style, or add type-aware linting. Trigger on: "lint", "eslint", "code quality", "static analysis", "strict linting", "make it stricter", "make the code stricter", "add better rules", "clean up the codebase", "enforce standards", "fix all the warnings", or "ShadCN lint errors". Handles detection, config generation, dependency installation, auto-fix, and manual remediation. Do NOT use for Biome or Rome projects, Prettier-only formatting, non-TypeScript/JavaScript projects, writing custom ESLint rules or plugins, husky/lint-staged/pre-commit hook setup, or when the user just wants to run an existing linter without changing its configuration.
transcript-notes
Convert meeting transcript .txt files into structured .md notes with metadata, TL;DR, key topics, action items, and quotes. Use when processing raw transcripts into formatted notes. Triggers on: "process transcript", "generate notes from transcript", "transcript to notes", "/transcript-notes".
test-plan-gen
Generate professional QA Test Plan documents (.docx or .pdf) from a structured interview. Trigger on "create/write a test plan", "I need a test plan", "prepare QA documentation", /testplan, or when a user uploads a PRD/requirements and wants a test plan generated.
test-case-gen
Generate, evaluate, audit, and normalize QA test cases to RAVN standards. Trigger on "generate/write/create test cases", "evaluate/score my test cases", "audit my test suite", "review test coverage", "normalize/reformat test cases", or when a user wants test design help. Also triggered by /testcases.
tech-react
React 19 patterns for components, hooks, Server Components, and data fetching. Use when writing React components, managing state with hooks, implementing Suspense boundaries, optimizing renders with proper memoization, or building Server/Client component hierarchies.
tech-drizzle
Drizzle ORM typesafe schema design, relational queries, prepared statements, migrations, and transactions. Use when working with Drizzle ORM, writing database queries, managing migrations, or optimizing query performance with prepared statements.
tech-android
Android and Kotlin development patterns — Compose, architecture, coroutines, Room, navigation, Hilt. Use when building Android apps, writing Jetpack Compose UI, or reviewing Android-specific code.
swift-concurrency
Swift Concurrency patterns — async/await, actors, tasks, Sendable conformance. Use when writing async/await code, implementing actors, working with structured concurrency, or ensuring data race safety.
rewrite-commit-history
Rewrite a feature branch's commit history into clean conventional commits that tell a progressive, linear story. Handles backup, soft reset, and atomic recommit. Use when: (1) Cleaning up messy WIP commits before PR, (2) Reorganizing commits into logical units, (3) Converting commits to conventional commit format. Triggers on: "rewrite history", "clean up commits", "rewrite commits", "conventional commits", "squash and rewrite", "reorganize commits".
qa-personality-builder
Create custom QA agent personalities for project-specific testing needs. Guided builder that asks about the specialty, tools, and test scenarios, then generates a personality file and registers it in the QA config. Trigger on "create a QA personality", "add a custom test agent", "build a webhook tester", or when the user needs a project-specific QA agent. Also triggered by /qa-create-personality.