api-sec

Entry P1 category router for API security. Use when choosing between API recon, authorization, token abuse, and hidden-parameter workflows before any deeper API topic skill.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "api-sec" with this command: npx skills add yaklang/hack-skills/yaklang-hack-skills-api-sec

API Security Router

This is the routing entry point for API security testing.

Use this skill first to decide whether the API issue is mostly recon/docs, object authorization, token trust, or GraphQL/hidden parameters, then route to a deeper topic skill.

When to Use

The target exposes REST APIs, mobile backends, or GraphQL endpoints
You need to define API testing order before going into specific topics
You want to handle object authorization, JWT, GraphQL, and hidden fields as separate tracks

Skill Map

API Recon and Docs: OpenAPI, Swagger, version drift, hidden documentation
API Authorization and BOLA: BOLA, BFLA, method abuse, hidden writable fields
API Auth and JWT Abuse: bearer token, header trust, claim abuse, rate-limit bypass
GraphQL and Hidden Parameters: introspection, batching, undocumented fields, hidden parameters

Quick Triage

Observation	Route
Swagger or OpenAPI is present	api-recon-and-docs
IDs appear in URL, JSON, headers, or GraphQL args	api-authorization-and-bola
JWT token visible in traffic	api-auth-and-jwt-abuse
`/graphql` or batched JSON arrays are present	graphql-and-hidden-parameters
Registration, login, or profile updates accept extra fields	api-authorization-and-bola then api-auth-and-jwt-abuse

Recommended Flow

Start with exposed endpoints and documentation assets
Then evaluate object-level and function-level authorization
Then evaluate token, header, signature, and rate-limit boundaries
If GraphQL or complex JSON is present, continue with hidden fields and schema abuse

Related Categories

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHub Open in ClawHub

Related Skills

Related by shared tags or category signals.

General

hack

No summary provided by upstream source.

Repository SourceNeeds Review

213-yaklang

General

api-auth-and-jwt-abuse

No summary provided by upstream source.

Repository SourceNeeds Review

207-yaklang

Security

notion-cli-mcp

Notion via notion-cli — a Rust CLI + MCP server for Notion API 2025-09-03+. Safety-first agent integration with rate limiting, response-size cap, untrusted-source output envelope, read-only MCP default, JSONL audit log, and --check-request dry-runs. Supports the new data-source model, 22 property types, 12 block types, and one-shot page+body creation.

Archived SourceRecently Updated

--0xarkstar

Security

fire-smoke-detection-analysis

Detects fire and smoke in video scenes. Supports both video stream and image analysis. Suitable for fire early warning scenarios such as security surveillance, forest fire prevention, and industrial parks. | 烟火检测技能，对视频场景中火情和烟雾进行检测，支持视频流和图片检测，适用于安防监控、森林防火、工业园区等火灾预警场景

Archived SourceRecently Updated

--18072937735