By 42Crunch-AI
Catch API security issues during development: audit, scan, remediate, validate with AI guardrails in Claude Code.
Run both a 42Crunch Audit and a live Scan together in a single pipeline. Use this skill when the user wants to run audit and scan together, complete the full security pipeline, or when the request is ambiguous about which phase to run. Triggers on phrases like "run audit and scan", "full 42crunch pipeline", "full security check", "audit then scan", "42crunch", or "SQG". Do NOT use this skill if the user explicitly requests only an audit (use 42crunch-audit) or only a scan (use 42crunch-scan).
Run a 42Crunch API Security Audit and fix SQG-blocking issues in an OpenAPI Specification file. Use this skill whenever the user wants to audit an OAS file for security issues, fix SQG-blocking issues, score an API, apply data dictionary enrichment, or remediate audit findings. Triggers on phrases like "run audit", "audit only", "fix audit issues", "SQG audit", "42crunch audit", "audit score", or any request focused on static OAS analysis and remediation without running a live scan.
Run a 42Crunch live conformance and authorization scan against an API and fix SQG-blocking scan findings. Use this skill whenever the user wants to run a conformance test, authorization scan, BOLA test, BFLA test, generate or configure a scan config, or fix scan-reported issues. Triggers on phrases like "run scan", "scan only", "conformance test", "BOLA test", "BFLA test", "42crunch scan", "scan config", or any request focused on live API testing without running a static audit. Use 42crunch-api-security-testing when the user wants both audit and scan together.
Set up the 42Crunch environment so that audit and scan skills can run without friction. Use this skill whenever the user wants to configure 42Crunch for the first time, install or update the 42c-ast binary, configure an API key, or troubleshoot missing credentials or binary errors. Triggers on phrases like "setup 42crunch", "configure 42crunch", "install 42c-ast", "update 42c-ast", "set api key", "42crunch not working", "binary not found", or any request to prepare the environment before running an audit or scan.
Generate a complete OpenAPI 3.0 (OAS) specification from an API codebase, a Postman or Insomnia collection, or both together. Use this skill whenever the user wants to generate, create, or derive an OpenAPI spec, reverse-engineer an API definition, document an existing API, or convert a Postman/Insomnia collection to OpenAPI — when there is no existing OAS file yet. Triggers on phrases like "generate OAS", "create an OpenAPI spec", "generate openapi.json", "document my API", "reverse-engineer spec", "convert postman to openapi", "convert insomnia to openapi", "postman collection to OAS", "insomnia collection to OAS", or any request to produce an OAS file from source material rather than from an existing spec.
The official 42Crunch plugin marketplace for Claude Code — a catalog of AI-powered plugins that bring 42Crunch's API security capabilities directly into your Claude Code workflow.
42Crunch plugins give Claude the ability to audit OpenAPI specs, scan live APIs for vulnerabilities, and apply fixes to ensure APIs meet security guardrails.
.claude-plugin/
marketplace.json # Plugin registry manifest
docs/ # Repository-level documentation assets
images/ # Screenshots and diagrams used in READMEs
plugins/ # Claude plugins developed by 42Crunch
api-security-testing/
.claude-plugin/
plugin.json # Plugin metadata
skills/ # Skill definitions
references/ # Reference definitions
README.md # Documentation
LICENSE # License
The Claude Code CLI is required to add marketplaces and install plugins using the claude CLI commands below.
Register the 42Crunch marketplace with Claude Code:
claude plugin marketplace add https://github.com/42Crunch-AI/claude-plugins
/plugin marketplace add https://github.com/42Crunch-AI/claude-plugins
/plugin and press Enter to open the plugin manager:
https://github.com/42Crunch-AI/claude-plugins
AI-powered API security plugin backed by 42Crunch. Audit OpenAPI specs, detect OWASP API Security vulnerabilities (including BOLA/BFLA), run live conformance and authorization scans against running APIs, and apply AI-assisted fixes — all through natural language.
Install: After registering the marketplace (see above), install the plugin:
claude plugin install 42crunch-api-security-testing@42crunch-marketplace
/plugin install 42crunch-api-security-testing@42crunch-marketplace
42crunch-api-security-testing plugin


See the plugin README for full documentation and RECIPES.md for common scenario guides.
Based on adoption, maintenance, documentation, and repository signals. Not a security audit or endorsement.
npx claudepluginhub 42crunch-ai/claude-plugins --plugin 42crunch-api-security-testingComprehensive skill pack with 66 specialized skills for full-stack developers: 12 language experts (Python, TypeScript, Go, Rust, C++, Swift, Kotlin, C#, PHP, Java, SQL, JavaScript), 10 backend frameworks, 6 frontend/mobile, plus infrastructure, DevOps, security, and testing. Features progressive disclosure architecture for 50% faster loading.
Access thousands of AI prompts and skills directly in your AI coding assistant. Search prompts, discover skills, save your own, and improve prompts with AI.
Harness-native ECC operator layer - 60 agents, 232 skills, 75 legacy command shims, reusable hooks, rules, selective install profiles, and production-ready workflows for Claude Code, Codex, OpenCode, Cursor, and related agent harnesses
Design fluency for frontend development. 1 skill with 23 commands (/impeccable polish, /impeccable audit, /impeccable critique, etc.) and curated anti-pattern detection.
Lazy senior dev mode. Forces the simplest, shortest solution that actually works: YAGNI, stdlib first, no unrequested abstractions.
Behavioral guidelines to reduce common LLM coding mistakes, derived from Andrej Karpathy's observations on LLM coding pitfalls
Own this plugin?
Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).
Sign in to claimOwn this plugin?
Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).
Sign in to claim