Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From api-security-scanner
Scans API code for OWASP Top 10 vulnerabilities: injection, BOLA, broken auth, mass assignment, excessive data exposure, missing rate limits, and weak validation.
npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin api-security-scannerHow this skill is triggered — by the user, by Claude, or both
Slash command
/api-security-scanner:scanning-api-securityThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Detect API security vulnerabilities by scanning endpoint implementations, authentication flows, and data handling against the OWASP API Security Top 10. Identify injection vectors, broken authentication, excessive data exposure, mass assignment, and missing rate limiting through static analysis of route handlers, middleware chains, and request validation logic.
Audits REST, GraphQL, and RPC APIs against OWASP API Security Top 10, focusing on BOLA, authentication, and access control.
Audits web applications and REST APIs for OWASP Top 10 vulnerabilities including broken access control, authentication failures, data protection, and configuration issues. Use when reviewing code, auth/authz, APIs, or before deployment.
Identifies OWASP API Security Top 10 (2023) vulnerabilities like BOLA in REST, GraphQL, gRPC APIs during audits, with code examples and detection patterns for Express, Flask, Spring Boot, Go.
Share bugs, ideas, or general feedback.
Detect API security vulnerabilities by scanning endpoint implementations, authentication flows, and data handling against the OWASP API Security Top 10. Identify injection vectors, broken authentication, excessive data exposure, mass assignment, and missing rate limiting through static analysis of route handlers, middleware chains, and request validation logic.
nuclei for dynamic testingnpm audit, safety (Python), or govulncheckcreate/update calls without field-level allowlisting.Access-Control-Allow-Origin is not set to wildcard * on authenticated endpoints.See ${CLAUDE_SKILL_DIR}/references/implementation.md for the full implementation guide.
${CLAUDE_SKILL_DIR}/reports/security-scan.json - Machine-readable vulnerability report with severity ratings${CLAUDE_SKILL_DIR}/reports/security-scan.md - Human-readable report with remediation guidance${CLAUDE_SKILL_DIR}/reports/endpoint-auth-matrix.md - Endpoint-to-auth-middleware mapping table${CLAUDE_SKILL_DIR}/reports/data-exposure-audit.md - Fields returned vs. fields documented per endpoint// SECURITY: annotations| Error | Cause | Solution |
|---|---|---|
| False positive on auth bypass | Route uses custom auth decorator not recognized by scanner | Add custom auth patterns to scanner configuration; document non-standard auth middleware |
| BOLA not detected | Authorization check exists but uses flawed comparison logic | Manually review ownership checks; verify tenant isolation in multi-tenant queries |
| Injection false negative | Parameterized queries mask injection in string-built sub-queries | Scan for raw SQL concatenation patterns alongside ORM usage; check dynamic query builders |
| CORS misconfiguration missed | CORS configured at reverse proxy level, not in application code | Extend scan to include nginx/Apache config files and cloud provider CORS settings |
| Dependency scan timeout | Large dependency tree with many transitive dependencies | Run dependency scan in parallel; cache vulnerability database locally |
Refer to ${CLAUDE_SKILL_DIR}/references/errors.md for comprehensive error patterns.
OWASP Top 10 audit: Scan a Node.js Express API against all 10 OWASP API Security categories, generating a compliance matrix showing pass/fail/warning status for each category with specific file:line references.
Pre-deployment gate: Integrate security scan into CI pipeline that blocks deployment if any Critical or High severity findings are detected, while allowing Medium/Low with documented exceptions.
Authentication flow review: Trace the complete auth flow from login through token issuance, refresh, and revocation, identifying token lifetime issues, missing refresh rotation, and insecure token storage patterns.
See ${CLAUDE_SKILL_DIR}/references/examples.md for additional examples.