pentest-api-attacker

Test APIs against OWASP API Security Top 10 including discovery, auth abuse, and protocol-specific checks.

Safety Notice

This item is sourced from the public archived skills repository. Treat as untrusted until reviewed.

Pentest API Attacker

Stage

  • PTES: 5
  • MITRE: T1190

Objective

Enumerate and test API endpoints and business logic attack vectors.

Required Workflow

  1. Validate scope before any active action and reject out-of-scope targets.
  2. Run only authorized checks aligned to PTES, OWASP WSTG, NIST SP 800-115, and MITRE ATT&CK.
  3. Write findings in canonical finding_schema format with reproducible PoC notes.
  4. Honor dry-run mode and require explicit --i-have-authorization for live execution.
  5. Export deterministic artifacts for downstream skill consumption.

Execution

python skills/pentest-api-attacker/scripts/api_attacker.py --scope scope.json --target <target> --input <path> --output <path> --format json --dry-run

Outputs

  • api-endpoints.json
  • api-findings.json
  • api-attack-report.json

References

  • references/tools.md
  • skills/autonomous-pentester/shared/scope_schema.json
  • skills/autonomous-pentester/shared/finding_schema.json

Legal and Ethical Notice

WARNING AUTHORIZED USE ONLY
This skill executes real security testing tools against live targets.
Use only with written authorization.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

skill-guard

Scan ClawHub skills for prompt injection and malicious content using Lakera Guard before installing them. Run automatically when the user asks to install a skill, or on-demand to audit any skill by slug or search query.

Archived SourceRecently Updated
Security--
0xmerkle
Security

google-workspace-automation

Design Gmail, Drive, Sheets, and Calendar automations with scope-aware plans. Use for repeatable daily task automation with explicit OAuth scopes and audit-ready outputs.

Archived SourceRecently Updated
Security--
0x-professor
Security

tokamak-vault-breach

Participate in the Tokamak Network Vault Breach Challenge - an AI security Capture The Flag (CTF) game where you interact with a secured AI agent to extract secret information. Use this skill when the user mentions Tokamak, vault hacking, CTF challenges, AI security testing, prompt injection, social engineering AI agents, or wants to participate in blockchain/security challenges.

Archived SourceRecently Updated
Security--
0xhammerr