Api Recon And Docs
Enumerate REST, mobile, and GraphQL API surface—docs, versions, and hidden paths—before authorization or exploitation testing.
Overview
API Recon and Docs is an agent skill for the Ship phase that discovers API endpoints, schemas, versions, and hidden documentation surface before API security testing.
Install
npx skills add https://github.com/yaklang/hack-skills --skill api-recon-and-docsWhat is this skill?
- Three primary goals: discover entrypoints, extract schemas and role differences, flag version drift and undocumented par
- Recon checklist: JS/client mining curl pipeline, common doc paths, and version/mobile/legacy URL patterns
- Targets swagger, OpenAPI, api-docs, GraphQL/gql, and .well-known discovery
- Extracts optional fields, admin-only examples, deprecated endpoints, and additionalProperties hints from specs
- Next-skill routing table points to api-authorization-and-bola when object IDs dominate findings
- 3 primary recon goals: entrypoints, schemas/roles, and version or undocumented surface
- 4 recon checklist areas: JavaScript mining, documentation paths, version drift, and doc-field extraction
Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).
What problem does it solve?
You are testing an API but do not know all entrypoints, spec versions, or undocumented parameters that actually accept traffic.
Who is it for?
Solo builders or security-minded developers running authorized API assessments who need a repeatable recon pass before BOLA or auth testing.
Skip if: Greenfield API design from scratch, production monitoring, or any use without explicit permission to test the target system.
When should I use this skill?
Target is REST, mobile, or GraphQL API and you need endpoints, documentation, versions, and hidden surface area before API testing (AI LOAD INSTRUCTION: use this skill first).
What do I get? / Deliverables
You get a structured recon picture—paths, schemas, drift, and doc-derived hints—with clear next-skill routing for authorization and deeper tests.
- Enumerated API entrypoints and doc locations
- Schema and version-drift notes with optional routing to next hack-skills
Recommended Skills
Journey fit
Canonical shelf is Ship / security because the playbook exists to map attack surface before structured API security testing, not to build features. Security subphase matches recon-first API testing workflows that feed BOLA, auth, and GraphQL follow-on skills.
How it compares
Structured offensive recon playbook for agents—not OpenAPI codegen or everyday backend integration docs.
Common Questions / FAQ
Who is api-recon-and-docs for?
Developers and security testers using agent workflows on REST, mobile, or GraphQL APIs who need endpoint and schema discovery before deeper hack-skills in the same repo.
When should I use api-recon-and-docs?
Use it at the start of authorized API testing on Ship—before exploitation—when you must map /api routes, OpenAPI/Swagger, GraphQL, version drift, and hidden parameters.
Is api-recon-and-docs safe to install?
The skill drives reconnaissance commands against targets you specify; review the Security Audits panel on this page and only aim it at systems you are allowed to test.
Workflow Chain
Then invoke: api authorization and bola
SKILL.md
READMESKILL.md - Api Recon And Docs
# SKILL: API Recon and Docs — Endpoints, Schemas, and Version Surface > **AI LOAD INSTRUCTION**: Use this skill first when the target is a REST, mobile, or GraphQL API and you need to enumerate endpoints, documentation, versions, and hidden surface area before exploitation. ## 1. PRIMARY GOALS 1. Discover all reachable API entrypoints. 2. Extract schemas, optional fields, and role differences. 3. Identify old versions, mobile paths, GraphQL endpoints, and undocumented parameters. ## 2. RECON CHECKLIST ### JavaScript and client mining ```bash curl https://target/app.js | grep -oE '(/api|/rest|/graphql)[^"'\'' ]+' | sort -u ``` ### Common documentation and schema paths ```text /swagger.json /openapi.json /api-docs /docs /.well-known/ /graphql /gql ``` ### Version and product drift ```text /api/v1/ /api/v2/ /api/mobile/v1/ /legacy/ ``` ## 3. WHAT TO EXTRACT FROM DOCS - optional and undocumented fields - admin-only request examples - deprecated endpoints that may still be active - schema hints like `additionalProperties: true` - parameter names tied to filtering, sorting, IDs, roles, or tenancy ## 4. NEXT ROUTING | Finding | Next Skill | |---|---| | object IDs everywhere | [api authorization and bola](../api-authorization-and-bola/SKILL.md) | | JWT, OAuth, role claims | [api auth and jwt abuse](../api-auth-and-jwt-abuse/SKILL.md) | | GraphQL or hidden fields | [graphql and hidden parameters](../graphql-and-hidden-parameters/SKILL.md) | | strong auth boundary but suspicious business flow | [business logic vulnerabilities](../business-logic-vulnerabilities/SKILL.md) |