API Security Testing Workflow

Trust Score 78/100

Structured workflow for testing REST and GraphQL API security: auth, authorization, rate limiting, input validation and error handling.

triggers:api securitysecurity testinggraphql testingrate limitingauthentication testingapi audit

GitHub SKILL.md

What it does

Provides a step-by-step API security testing workflow for REST and GraphQL endpoints. The skill breaks testing into phases: discovery, authentication, authorization, input validation, rate limiting, GraphQL-specific tests, and error handling. It lists suggested sub-skills to invoke for fuzzing, scanning, and specific attack classes, plus checklists and quality gates for reporting.

When to use it

Use this workflow when performing security assessments, bug-bounty testing, or internal API hardening exercises that require systematic checks across authentication, authorization, input validation, rate limits, and GraphQL pitfalls. Not a substitute for expert manual review.

What's included

Scripts: None bundled (has_scripts=false)
References: None bundled (has_references=false)
Instructions: Phased testing guidance, copy-paste prompts for invoking related skills, a checklist of test cases, and recommended quality gates.

Compatible agents

Useful for security-focused agents or toolchains that can orchestrate vulnerability scanners and fuzzers (e.g., agents integrated with api-fuzzing, scanning-tools, or other security skills).

Audit Summary

A workflow-style skill that provides a 7-phase checklist for API security testing (REST and GraphQL). Contains no scripts or executable code — it's purely a structured guide referencing external skills like api-fuzzing-bug-bounty, broken-authentication, and idor-testing. The phases are well-organized but shallow, with trivially simple copy-paste prompts and no depth on methodology. Entirely dependent on referenced skills being available; does nothing standalone.

Watch Out

Depends on external skills (api-fuzzing-bug-bounty, broken-authentication, idor-testing, etc.) that may not be installed
No actual testing logic — purely a checklist workflow

Notes

Safe but shallow. Essentially a glorified checklist with skill references. Would benefit from actual testing commands, example payloads, or at least detailed methodology steps instead of just listing actions.

Information

Repository: opencode-skills-collection
Stars: 23
Installs: 0

Trust Score

Overall78

Security100

Code Quality58

Architecture55

Usefulness52

More from opencode-skills-collection

Python Performance Optimization

Profile, analyze, and optimize Python applications for CPU and memory efficiency using profiling tools and performance best practices.

Azure AI Projects SDK (TypeScript)

TypeScript SDK and examples for managing Azure AI Projects: agents, connections, deployments, datasets, indexes, and evaluations.

Memory Forensics Playbook

Practical guidance and commands for acquiring, analyzing, and extracting artifacts from memory dumps using tools like Volatility3 and common acquisition methods

Testing Patterns & Utilities

Guidelines and utilities for TDD, factory-based test data, mocking strategies, and testing patterns for React/TypeScript projects.

Skill Optimizer

Diagnose and optimize Agent Skills (SKILL.md) using session transcripts and static analysis to improve triggers, workflows, and token efficiency.

Reverse Engineer

Guided methodology and best practices for binary reverse engineering, covering static and dynamic analysis workflows and common tooling.

Related Skills

Development Worktree

Create an isolated git worktree for feature work, auto-run project setup, and verify a clean test baseline before development.

Bounty Hunter — Atlas

Persona skill: 'Atlas' — a profit-focused developer persona for discovering, evaluating and executing paid bounties or freelance tasks with ROI-aware workflows.

TradeOS

Natural-language driven CEX trading and portfolio management for agents: API key vaulting, multi-exchange orders, DCA, arbitrage scanning, alerts and security r

Full Stack Builder

End-to-end builder that scaffolds, implements, tests, and optionally deploys web and API applications from a natural-language specification.

ezBookkeeping API Tools

Command-line API tools for ezBookkeeping: record and query transactions, retrieve accounts/categories/tags, and fetch exchange rates for self-hosted personal fi

Claw Bench

Benchmarking skill that guides an agent through a structured suite of capability tests and reporting steps for leaderboard submission.

Java 25 & Spring Boot 4 Code Reviewer

Run focused, evidence-based code reviews for Java 25 and Spring Boot 4 projects — migration risks, architecture boundaries, null-safety (JSpecify), security, an

ArcKit — French Public Procurement (fr-marche-public)

Generates French public procurement (Dossier de Consultation des Entreprises) drafts aligned with the Code de la Commande Publique, UGAP frameworks, and DINUM d

Back to Skills