API Security Testing Workflow

What it does

Provides a phased workflow to audit and test API security for REST and GraphQL endpoints. Covers discovery/enumeration, authentication and authorization checks, input validation and injection tests, rate-limiting checks, GraphQL-specific tests, and error-handling review. Includes checklists and suggested skill invocations for fuzzing and scanning.

When to use it

Use this skill when performing security assessments, bug-bounty style testing, pre-release security validation, or penetration testing focused on API endpoints. Suitable for security engineers, QA teams, and automated security pipelines.

What's included

• Scripts: none bundled in SKILL.md.
• References: none bundled, but the workflow references related skill bundles (security-audit, web-security-testing).
• Instructions: clear phased actions (API discovery, auth testing, authorization testing, input validation, rate limiting, GraphQL testing, error handling) with copy-paste prompts for invoking complementary skills. Also includes a checklist and quality gates.

Compatible agents

Best used with agents that can orchestrate security tools and plugins (scanners, fuzzers) such as Claude/Copilot-style assistants or automation agents that can call external security tools.