npx claudepluginhub anthropics/claude-plugins-official --plugin postman# API Security Audit Audit your API for security issues: missing auth, exposed sensitive data, insecure transport, weak validation, and OWASP API Security Top 10 alignment. Works with local OpenAPI specs and Postman collections. ## Prerequisites For collection auditing, the Postman MCP Server must be connected. Local spec auditing works without MCP. If needed, tell the user: "Run `/postman:setup` to configure the Postman MCP Server." ## Workflow ### Step 1: Find the Source Call `getWorkspaces` to get the user's workspace ID. If multiple workspaces exist, ask which to use. **Local spe...
/scan-api-securityScans APIs for OWASP Top 10 vulnerabilities, misconfigurations, and attack vectors using OWASP ZAP, producing HTML reports, JSON findings, remediation guides, evidence, and Python regression tests.
/secureRuns security audit scanning dependencies, secrets, OWASP patterns, and HTTP headers. Auto-fixes safe issues.
/security-guardAudits codebase for security vulnerabilities across 8 categories: env secrets exposure, auth checks, rate limiting, file uploads, storage security, prompt injection, and more.
/securityPerforms threat modeling, auth audits, code security reviews, and launch sign-offs as a Senior Security Engineer.
/hatch3r-api-specGenerates or validates OpenAPI 3.1 spec from codebase by scanning routes, extracting schemas, and detecting drift against existing spec.
/securityConducts security reviews of apps, APIs, scripts, and configs using OWASP Top 10 best practices and threat modeling; detects vulnerabilities and suggests fixes.
Share bugs, ideas, or general feedback.
Audit your API for security issues: missing auth, exposed sensitive data, insecure transport, weak validation, and OWASP API Security Top 10 alignment. Works with local OpenAPI specs and Postman collections.
For collection auditing, the Postman MCP Server must be connected. Local spec auditing works without MCP. If needed, tell the user: "Run /postman:setup to configure the Postman MCP Server."
Call getWorkspaces to get the user's workspace ID. If multiple workspaces exist, ask which to use.
Local spec:
**/openapi.{json,yaml,yml}, **/swagger.{json,yaml,yml}Postman spec (via MCP):
getAllSpecs with the workspace ID to find specsgetSpecDefinition for the full spec contentPostman collection (via MCP):
getCollections with the workspace parametergetCollection for full detail including auth configgetEnvironment to check for exposed secretsAuthentication and Authorization:
Transport Security:
Sensitive Data Exposure:
format: passwordgetEnvironment)Input Validation:
maxLengthminimum/maximummaxItemsRate Limiting:
Error Handling:
OWASP API Top 10 Alignment:
API Security Audit: pet-store-api.yaml
CRITICAL (2):
SEC-001: 3 endpoints have no security scheme applied
- GET /admin/users
- DELETE /admin/users/{id}
- PUT /admin/config
SEC-002: Server URL uses HTTP (http://api.example.com)
HIGH (3):
SEC-003: No rate limiting documentation or 429 response
SEC-004: API key sent as query parameter (use header instead)
SEC-005: No maxLength on 8 string inputs (injection risk)
MEDIUM (2):
SEC-006: Password field visible in GET /users/{id} response
SEC-007: Environment variable 'db_password' not marked secret
Score: 48/100 — Significant Issues
For each finding:
For Postman-specific issues:
putEnvironment to mark secrets properlyupdateCollectionRequest to fix auth configurationupdateCollectionResponse to remove sensitive data from examplesAfter fixes, re-run the audit to show improvement.
/postman:setup to configure the Postman MCP Server."/postman:setup."