Api Sec
Route authorized API penetration testing into the right recon, authorization, JWT, or GraphQL workflow before running deeper Yak skills.
Overview
api-sec is an agent skill for the Ship phase that routes API security testing into recon, authorization, JWT abuse, or GraphQL and hidden-parameter workflows before deeper topic skills run.
Install
npx skills add https://github.com/yaklang/hack-skills --skill api-secWhat is this skill?
- P1 entry router with a four-topic skill map (recon/docs, authorization/BOLA, auth/JWT, GraphQL/hidden params)
- Quick triage table maps Swagger presence, ID leakage, bearer headers, and GraphQL signals to the next skill
- Separates object authorization, token trust, and undocumented fields into distinct testing tracks
- Use when REST backends, mobile APIs, or GraphQL need an ordered scope before topic-specific runs
- Routes to api-recon-and-docs, api-authorization-and-bola, api-auth-and-jwt-abuse, and graphql-and-hidden-parameters
- Four downstream API security topic tracks in the skill map
- Quick triage table with four observation-to-route rows
Adoption & trust: 1.2k installs on skills.sh; 980 GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You expose REST, mobile, or GraphQL APIs and need a clear testing order before BOLA, token abuse, or hidden-parameter hunts—not a random skill pick.
Who is it for?
Solo builders shipping API-first products who run structured, authorized security reviews and use the Yak API-sec skill family.
Skip if: Teams skipping authorized testing scope, or builders who only need generic OWASP copy without API-specific routing.
When should I use this skill?
The target exposes REST APIs, mobile backends, or GraphQL endpoints and you need API testing order or separate tracks for authorization, JWT, and hidden parameters.
What do I get? / Deliverables
You select the correct downstream API security skill from the four-track map, then invoke that topic skill for the matched observation.
- Chosen downstream API security skill route
- Documented triage observation (docs, IDs, tokens, or GraphQL signals)
Recommended Skills
Journey fit
API security triage belongs on the Ship shelf because it sequences testing before release, alongside other security subphase skills. Security is the canonical subphase for choosing BOLA, token abuse, and hidden-parameter tracks on live API surfaces.
How it compares
Use as a security workflow router—not a single integration that runs scans for you.
Common Questions / FAQ
Who is api-sec for?
Indie and solo developers (and small security-minded teams) who maintain REST or GraphQL APIs and use agent skills for authorized API hardening and pentest-style workflows.
When should I use api-sec?
During Ship when you are validating API security: before api-recon-and-docs for Swagger drift, before authorization skills when IDs appear in paths or bodies, before JWT skills on bearer flows, or before GraphQL skills when introspection or batching is in scope.
Is api-sec safe to install?
Treat it as guidance for offensive testing patterns; review the Security Audits panel on this Prism page and only aim tests at systems you own or have written permission to assess.
Workflow Chain
Then invoke: api recon and docs, api authorization and bola
SKILL.md
READMESKILL.md - Api Sec
# API Security Router This is the routing entry point for API security testing. Use this skill first to decide whether the API issue is mostly recon/docs, object authorization, token trust, or GraphQL/hidden parameters, then route to a deeper topic skill. ## When to Use - The target exposes REST APIs, mobile backends, or GraphQL endpoints - You need to define API testing order before going into specific topics - You want to handle object authorization, JWT, GraphQL, and hidden fields as separate tracks ## Skill Map - [API Recon and Docs](../api-recon-and-docs/SKILL.md): OpenAPI, Swagger, version drift, hidden documentation - [API Authorization and BOLA](../api-authorization-and-bola/SKILL.md): BOLA, BFLA, method abuse, hidden writable fields - [API Auth and JWT Abuse](../api-auth-and-jwt-abuse/SKILL.md): bearer token, header trust, claim abuse, rate-limit bypass - [GraphQL and Hidden Parameters](../graphql-and-hidden-parameters/SKILL.md): introspection, batching, undocumented fields, hidden parameters ## Quick Triage | Observation | Route | |---|---| | Swagger or OpenAPI is present | [api-recon-and-docs](../api-recon-and-docs/SKILL.md) | | IDs appear in URL, JSON, headers, or GraphQL args | [api-authorization-and-bola](../api-authorization-and-bola/SKILL.md) | | JWT token visible in traffic | [api-auth-and-jwt-abuse](../api-auth-and-jwt-abuse/SKILL.md) | | `/graphql` or batched JSON arrays are present | [graphql-and-hidden-parameters](../graphql-and-hidden-parameters/SKILL.md) | | Registration, login, or profile updates accept extra fields | [api-authorization-and-bola](../api-authorization-and-bola/SKILL.md) then [api-auth-and-jwt-abuse](../api-auth-and-jwt-abuse/SKILL.md) | ## Recommended Flow 1. Start with exposed endpoints and documentation assets 2. Then evaluate object-level and function-level authorization 3. Then evaluate token, header, signature, and rate-limit boundaries 4. If GraphQL or complex JSON is present, continue with hidden fields and schema abuse ## Related Categories - [auth-sec](../auth-sec/SKILL.md) - [business-logic-vuln](../business-logic-vuln/SKILL.md) - [recon-for-sec](../recon-for-sec/SKILL.md)