Graphql And Hidden Parameters
Probe GraphQL introspection, batching, and undocumented REST/GraphQL fields when you ship an API and need to find authorization gaps before users do.
Overview
GraphQL-and-hidden-parameters is an agent skill for the Ship phase that tests GraphQL introspection, batching, undocumented fields, and hidden REST parameters for authorization gaps during authorized API reviews.
Install
npx skills add https://github.com/yaklang/hack-skills --skill graphql-and-hidden-parametersWhat is this skill?
- First-pass introspection queries including __schema and __typename probes
- High-value themes: IDOR by id, operation batching, admin-only fields in types
- Hidden parameter discovery via admin docs, additionalProperties, and mobile bundles
- Fallback when introspection is restricted: suggestions, __type probes, bundle route extraction
- Routing to API authorization follow-up when hidden fields affect privilege
- 4 high-value GraphQL test themes in the skill table (IDOR, batching, hidden fields, nested authz)
Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).
What problem does it solve?
Your public schema and docs look minimal, but attackers can still reach privileged fields, batch abusive operations, or smuggle undocumented parameters.
Who is it for?
Indie SaaS founders and backend-heavy solos validating GraphQL or OpenAPI-backed apps before launch or bounty programs.
Skip if: Production GraphQL design tutorials, or unauthorized scanning of APIs you do not own.
When should I use this skill?
GraphQL exists or REST documentation suggests optional, deprecated, or undocumented fields; focus on schema discovery, hidden parameter abuse, and batching.
What do I get? / Deliverables
You produce a prioritized list of schema leaks, batching abuse paths, and hidden parameters to fix or escalate into full API authorization testing.
- Schema and hidden-field findings with reproduction queries
- Batching or IDOR cases flagged for authorization remediation
Recommended Skills
Journey fit
Schema abuse and hidden parameters are classic pre-launch API security work on products you are about to expose publicly. GraphQL IDOR, batching, and hidden-field tests map directly to application security review, not frontend polish.
How it compares
Authorized API abuse playbook, not a GraphQL server framework or generic REST client generator.
Common Questions / FAQ
Who is graphql-and-hidden-parameters for?
Builders and small teams responsible for their own API surface who need a repeatable GraphQL and hidden-parameter test pass.
When should I use graphql-and-hidden-parameters?
During Ship security when GraphQL is deployed or when REST documentation suggests optional, deprecated, or undocumented fields that could bypass authorization.
Is graphql-and-hidden-parameters safe to install?
It guides intrusive API testing—only run against systems you are permitted to test; check the Security Audits panel on this Prism page before enabling in agents.
SKILL.md
READMESKILL.md - Graphql And Hidden Parameters
# SKILL: GraphQL and Hidden Parameters — Introspection, Batching, and Undocumented Fields > **AI LOAD INSTRUCTION**: Use this skill when GraphQL exists or when REST documentation suggests optional, deprecated, or undocumented fields. Focus on schema discovery, hidden parameter abuse, and batching as a force multiplier. ## 1. GRAPHQL FIRST PASS ```graphql query { __typename } query { __schema { types { name } } } ``` If introspection is restricted, continue with: - field suggestions and error-based discovery - known type probes like `__type(name: "User")` - JS and mobile bundle route extraction ## 2. HIGH-VALUE GRAPHQL TESTS | Theme | Example | |---|---| | IDOR | `user(id: "victim")` | | batching | array of login or object fetch operations | | hidden fields | admin-only fields exposed in type definitions | | nested authz gaps | related object fields with weaker checks | ## 3. HIDDEN PARAMETER DISCOVERY Look for: - fields present in admin docs but not public docs - `additionalProperties` or permissive schemas - frontend code using richer request bodies than visible UI controls - mobile endpoints carrying role, org, feature-flag, or internal filter fields ## 4. NEXT ROUTING - If hidden fields affect privilege: [api authorization and bola](../api-authorization-and-bola/SKILL.md) - If GraphQL batching changes auth or rate behavior: [api auth and jwt abuse](../api-auth-and-jwt-abuse/SKILL.md) - If endpoint discovery is incomplete: [api recon and docs](../api-recon-and-docs/SKILL.md)