From 42crunch-api-security-testing
Set up the 42Crunch environment so that audit and scan skills can run without friction. Use this skill whenever the user wants to configure 42Crunch for the first time, install or update the 42c-ast binary, configure an API key, or troubleshoot missing credentials or binary errors. Triggers on phrases like "setup 42crunch", "configure 42crunch", "install 42c-ast", "update 42c-ast", "set api key", "42crunch not working", "binary not found", or any request to prepare the environment before running an audit or scan.
How this skill is triggered — by the user, by Claude, or both
Slash command
/42crunch-api-security-testing:42crunch-setupThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Prepares the environment for 42Crunch audit and scan workflows in two phases:
Prepares the environment for 42Crunch audit and scan workflows in two phases:
42c-ast binary is installed at the canonical path.Caller context: This skill may be invoked directly by the user or as a subroutine by another skill (e.g.
pre-flight). Check whether a caller was passed. Steps 1 and 6 behave differently depending on this context — see each step for details.
If called directly by the user (no caller context), greet the user and explain what they'll be able to do once setup is complete:
Welcome — let me get your 42Crunch environment ready. This is a one-time setup that takes about two minutes. Once done, you'll be able to:
- Audit any OpenAPI file for security issues and get a scored, actionable report
- Scan a live API to catch BOLA, BFLA, and conformance problems
- Fix SQG-blocking issues automatically, with your approval at every step
I'll handle this in two quick steps:
- Install the
42c-astanalysis binary on this machine.- Connect your 42Crunch credentials (a token from Starter (Free Trial) / Individual / Individual Pro, or a Platform account with an API key for Team 10 / Team 25 / Enterprise).
Let's go.
If called as a subroutine (caller context is set), skip this greeting entirely and proceed directly to Step 2.
Follow ../../references/binary-setup.md completely (verbose mode — announce each major step to the user).
Stop and surface a clear error if the binary cannot be installed. Do not proceed to Step 3.
Follow ../../references/credential-setup.md completely.
The procedure covers, in order:
~/.42crunch/conf/env (macOS/Linux) or %APPDATA%\42Crunch\conf\env
(Windows). If already configured: show mode + masked key, offer to keep or replace.[42Crunch Starter (Free Trial)](https://42crunch.com/freemium/?source=claude)) and the paid-plans pricing breakdown (Individual / Individual Pro use a token; Team 10 / Team 25 / Enterprise use a Platform account with an API key); stop and wait for the user to return, then ask token vs Platform-API-key and route accordingly~/.42crunch/conf/env, set chmod 600 on macOS/Linux.Steps 2 and 3 already end with their own verification: binary-setup.md
confirms --version exits 0, and credential-setup.md Step 4 confirms the
credential line is present. If both results are already in this conversation,
do not re-run those commands — reuse the results and continue to Step 5.
Only run the checks below for a part whose result is missing from this conversation. The credential check is presence-only — never print the value:
# Binary (macOS / Linux)
"$HOME/.42crunch/bin/42c-ast" --version
# Binary (Windows)
& "$env:APPDATA\42Crunch\bin\42c-ast.exe" --version
# Credentials (macOS / Linux)
grep -qE "^(API_KEY|TRIAL_TOKEN)=" "$HOME/.42crunch/conf/env" && echo "CREDS=OK" || echo "CREDS=MISSING"
# Credentials (Windows)
if (Select-String -Path "$env:APPDATA\42Crunch\conf\env" -Pattern "^(API_KEY|TRIAL_TOKEN)=" -Quiet) { "CREDS=OK" } else { "CREDS=MISSING" }
If either check fails, report the specific failure and guide the user to resolve it before continuing.
Display the setup summary (see Output Format below).
If called as a subroutine (caller context is set), skip the next-steps
prompt entirely. Announce "Setup complete — continuing." and return control
to the caller. The caller (e.g. pre-flight) will resume from where it left
off.
If called directly by the user (no caller context), present the following:
You're all set. Here's what you can do right now:
42crunch-audit— Hand me an OpenAPI file and I'll score it, classify every security issue by severity, and fix the SQG-blocking ones with your approval. A good first step if you haven't audited this API before.
42crunch-scan— Run a live conformance and authorization test against a running API. I'll check for BOLA, BFLA, and response-contract violations. Best run after the audit passes.
42crunch-api-security-testing— Runs both audit and scan back-to-back. The recommended workflow when you want the full picture in one session.Which would you like to start with?
## 42Crunch Setup Complete
| Item | Status |
|------------------|-----------------------------------------------------|
| Binary | <BINARY_PATH> v<version> |
| Credential mode | <Platform \| Token> |
| API key / Token | Platform: `api_••••••••` or `ide_••••••••` |
| | Token: `<first-4-chars>••••••••` |
| | (stored in <path>) |
| Platform host | <url> ← omit this row for Token mode |
api_•••••••• / ide_•••••••• for platform tokens — keep
prefix, replace rest; <first-4-chars>•••••••• for tokens, e.g.
eyJh••••••••).Bash tool for all shell commands; use the Edit or Write
tools when writing config files — never shell redirection.curl for downloads; fall back to wget if curl is unavailable. On
Windows use Invoke-WebRequest.42c-ast.exe, paths use \, config lives in
%APPDATA%\42Crunch\conf\env, skip chmod 600 (Windows ACLs protect APPDATA).| Variable | Default | Mode |
|---|---|---|
API_KEY | (required) | Platform (Team 10 / Team 25 / Enterprise) |
PLATFORM_HOST | (set during setup) | Platform only (Team 10 / Team 25 / Enterprise) |
TRIAL_TOKEN | (required) | Token-based (Starter (Free Trial) / Individual / Individual Pro) |
npx claudepluginhub 42crunch-ai/claude-plugins --plugin 42crunch-api-security-testingPrevents silent decimal mismatch bugs across EVM chains with runtime lookup, chain-aware caching, and safe normalization for bots, dashboards, and DeFi tools.