scanning-api-security
Detect API security vulnerabilities including injection, broken auth, and data exposure. Use when scanning APIs for security vulnerabilities. Trigger with phrases like "scan API security", "check for vulnerabilities", or "audit API security".
What this skill does
# Scanning API Security
## Overview
Detect API security vulnerabilities by scanning endpoint implementations, authentication flows, and data handling against the OWASP API Security Top 10. Identify injection vectors, broken authentication, excessive data exposure, mass assignment, and missing rate limiting through static analysis of route handlers, middleware chains, and request validation logic.
## Prerequisites
- API source code with route definitions and controller/handler implementations accessible
- OpenAPI specification for cross-referencing documented vs. implemented security controls
- OWASP API Security Top 10 (2023) checklist familiarity
- Security scanning tools: OWASP ZAP, Burp Suite, or `nuclei` for dynamic testing
- Dependency vulnerability scanner: `npm audit`, `safety` (Python), or `govulncheck`
## Instructions
1. Scan all route definitions using Grep to build a complete inventory of endpoints, HTTP methods, and middleware chains applied to each route.
2. Audit authentication middleware to verify every mutation endpoint (POST, PUT, PATCH, DELETE) has auth enforcement and that no endpoints accidentally bypass auth through route ordering.
3. Check for Broken Object Level Authorization (BOLA) by verifying that resource access checks compare the authenticated user's ID/role against the requested resource ownership, not just valid authentication.
4. Identify excessive data exposure by comparing response serialization against API contracts -- flag endpoints returning full database records instead of explicit field whitelists.
5. Detect mass assignment vulnerabilities by checking whether request bodies are passed directly to ORM `create`/`update` calls without field-level allowlisting.
6. Verify input validation exists on all request parameters, query strings, headers, and body fields, checking for SQL injection, NoSQL injection, and command injection patterns.
7. Audit rate limiting configuration to ensure all public-facing and authentication endpoints have per-IP and per-user rate limits applied.
8. Check security headers (CORS, CSP, HSTS, X-Content-Type-Options) and verify CORS `Access-Control-Allow-Origin` is not set to wildcard `*` on authenticated endpoints.
9. Scan dependencies for known CVEs and generate a prioritized remediation report with severity ratings and fix recommendations.
See `${CLAUDE_SKILL_DIR}/references/implementation.md` for the full implementation guide.
## Output
- `${CLAUDE_SKILL_DIR}/reports/security-scan.json` - Machine-readable vulnerability report with severity ratings
- `${CLAUDE_SKILL_DIR}/reports/security-scan.md` - Human-readable report with remediation guidance
- `${CLAUDE_SKILL_DIR}/reports/endpoint-auth-matrix.md` - Endpoint-to-auth-middleware mapping table
- `${CLAUDE_SKILL_DIR}/reports/data-exposure-audit.md` - Fields returned vs. fields documented per endpoint
- Inline code comments marking identified vulnerabilities with `// SECURITY:` annotations
## Error Handling
| Error | Cause | Solution |
|-------|-------|----------|
| False positive on auth bypass | Route uses custom auth decorator not recognized by scanner | Add custom auth patterns to scanner configuration; document non-standard auth middleware |
| BOLA not detected | Authorization check exists but uses flawed comparison logic | Manually review ownership checks; verify tenant isolation in multi-tenant queries |
| Injection false negative | Parameterized queries mask injection in string-built sub-queries | Scan for raw SQL concatenation patterns alongside ORM usage; check dynamic query builders |
| CORS misconfiguration missed | CORS configured at reverse proxy level, not in application code | Extend scan to include nginx/Apache config files and cloud provider CORS settings |
| Dependency scan timeout | Large dependency tree with many transitive dependencies | Run dependency scan in parallel; cache vulnerability database locally |
Refer to `${CLAUDE_SKILL_DIR}/references/errors.md` for comprehensive error patterns.
## Examples
**OWASP Top 10 audit**: Scan a Node.js Express API against all 10 OWASP API Security categories, generating a compliance matrix showing pass/fail/warning status for each category with specific file:line references.
**Pre-deployment gate**: Integrate security scan into CI pipeline that blocks deployment if any Critical or High severity findings are detected, while allowing Medium/Low with documented exceptions.
**Authentication flow review**: Trace the complete auth flow from login through token issuance, refresh, and revocation, identifying token lifetime issues, missing refresh rotation, and insecure token storage patterns.
See `${CLAUDE_SKILL_DIR}/references/examples.md` for additional examples.
## Resources
- OWASP API Security Top 10 (2023): https://owasp.org/API-Security/
- OWASP ZAP API Scan: https://www.zaproxy.org/
- CWE/SANS Top 25 Most Dangerous Software Weaknesses
- RFC 6749 OAuth 2.0 Authorization Framework
Related in Backend & APIs
jfrog
IncludedInteract with the JFrog Platform via the JFrog CLI and REST/GraphQL APIs. Use this skill when the user wants to manage Artifactory repositories, upload or download artifacts, manage builds, configure permissions, manage users and groups, work with access tokens, configure JFrog CLI servers, search artifacts, manage properties, set up replication, manage JFrog Projects, run security audits or scans, look up CVE details, query exposures scan results from JFrog Advanced Security, manage release bundles and lifecycle operations, aggregate or export platform data, or perform any JFrog Platform administration task. Also use when the user mentions jf, jfrog, artifactory, xray, distribution, evidence, apptrust, onemodel, graphql, workers, mission control, curation, advanced security, exposures, or any JFrog product name.
cupynumeric-migration-readiness
IncludedPre-migration readiness assessor for porting NumPy to cuPyNumeric. Use BEFORE substantial porting work begins when the user asks whether code will scale on GPU, whether they should migrate to cuPyNumeric, which NumPy patterns transfer cleanly, what must be refactored before porting, or mentions pre-port assessment, scaling analysis, or refactor planning. Inspect the user's source code, look up NumPy usage, cross-reference the cuPyNumeric API support manifest, and distinguish distributed-scaling-friendly patterns from blockers such as unsupported APIs, scalar synchronization, host round-trips, Python/object-heavy control flow, shape/data-dependent branching, and in-place mutation hazards. Produce a verdict of READY, LIGHT REFACTOR, SIGNIFICANT REFACTOR, or NOT RECOMMENDED, with concrete refactor pointers.
alibabacloud-data-agent-skill
IncludedInvoke Alibaba Cloud Apsara Data Agent for Analytics via CLI to perform natural language-driven data analysis on enterprise databases. Data Agent for Analytics is an intelligent data analysis agent developed by Alibaba Cloud Database team for enterprise users. It automatically completes requirement analysis, data understanding, analysis insights, and report generation based on natural language descriptions. This tool supports: discovering data resources (instances/databases/tables) managed in DMS, initiating query or deep analysis sessions, real-time progress tracking, and retrieving analysis conclusions and generated reports. Use this Skill when users need to query databases, analyze data trends, generate data reports, ask questions in natural language, or mention "Data Agent", "data analysis", "database query", "SQL analysis", "data insights".
token-optimizer
IncludedReduce OpenClaw token usage and API costs through smart model routing, heartbeat optimization, budget tracking, and native 2026.2.15 features (session pruning, bootstrap size limits, cache TTL alignment). Use when token costs are high, API rate limits are being hit, or hosting multiple agents at scale. The 4 executable scripts (context_optimizer, model_router, heartbeat_optimizer, token_tracker) are local-only — no network requests, no subprocess calls, no system modifications. Reference files (PROVIDERS.md, config-patches.json) document optional multi-provider strategies that require external API keys and network access if you choose to use them. See SECURITY.md for full breakdown.
resend-cli
IncludedUse this skill when the task is specifically about operating Resend from an AI agent, terminal session, or CI job via the official resend CLI: installing/authenticating the CLI, sending/listing/updating/cancelling emails, batch sends, domains and DNS, webhooks and local listeners, inbound receiving, contacts, topics, segments, broadcasts, templates, API keys, profiles, or debugging Resend CLI/API failures. Trigger on mentions of Resend CLI, `resend`, `resend doctor`, `resend emails send`, `resend domains`, `resend webhooks listen`, `resend emails receiving`, or agent-friendly terminal automation.
alibabacloud-odps-maxframe-coding
IncludedUse this skill for MaxFrame SDK development and documentation navigation on Alibaba Cloud MaxCompute (ODPS). Helps answer MaxFrame API, concept, official example, and supported pandas API questions; create data processing programs; read/write MaxCompute tables; debug jobs (remote or local); and build custom DPE runtime images. Trigger when users mention MaxFrame, MaxCompute with MaxFrame, ODPS table processing, DPE runtime, MaxFrame docs/examples, DataFrame/Tensor operations, or GPU runtime setup. Works for both English and Chinese queries about Alibaba Cloud data processing with MaxFrame.