pentest-api-attackerTest APIs against OWASP API Security Top 10 including discovery, auth abuse, and protocol-specific checks.
Install via ClawdBot CLI:
clawdbot install 0x-Professor/pentest-api-attackerGrade Fair — based on market validation, documentation quality, package completeness, maintenance status, and authenticity signals.
Calls external URL not in known-safe list
https://github.com/assetnote/kiterunnerAudited Apr 16, 2026 · audit v1.0
Generated Mar 20, 2026
This scenario involves testing banking or fintech APIs for vulnerabilities like broken authentication or excessive data exposure, which could lead to unauthorized transactions or data breaches. The skill validates scope to ensure only authorized endpoints are tested, aligning with regulatory compliance needs such as PCI DSS.
In this scenario, the skill is used to assess healthcare APIs handling patient data for vulnerabilities under OWASP API Top 10, such as injection attacks or mass assignment. It ensures compliance with HIPAA by executing only authorized checks and generating reproducible findings for audit trails.
This scenario focuses on testing e-commerce APIs for business logic flaws like price manipulation or inventory abuse, which could impact revenue. The skill enumerates endpoints, runs protocol-specific checks, and exports artifacts to support remediation efforts without disrupting live operations in dry-run mode.
Here, the skill assesses APIs in IoT ecosystems for vulnerabilities such as insecure direct object references or lack of rate limiting, which could compromise device control. It aligns with MITRE ATT&CK techniques to simulate real-world attacks while honoring authorization requirements for safe execution.
This scenario involves using the skill to test government APIs for security weaknesses as per standards like NIST SP 800-115, ensuring data integrity and confidentiality. It validates scope to avoid out-of-target testing and generates structured reports for compliance documentation and incident response planning.
MSSPs can integrate this skill into their service offerings to provide automated API penetration testing for clients, scaling security assessments across multiple industries. Revenue is generated through subscription-based or per-assessment fees, leveraging the skill's deterministic outputs for consistent reporting.
Organizations with internal security teams use this skill to conduct regular API security audits, reducing reliance on external consultants. Revenue is saved through cost avoidance from potential breaches, and it supports compliance efforts by integrating with existing workflows and artifact exports.
Training providers incorporate this skill into hands-on labs for teaching API security concepts, aligning with OWASP and MITRE frameworks. Revenue comes from course fees and certification programs, using the skill's dry-run mode to safely demonstrate attacks in controlled environments.
💬 Integration Tip
Ensure scope.json is properly configured to avoid out-of-scope targets, and use the --dry-run flag initially to validate checks before live execution with authorization.
Scored Apr 19, 2026
Scan networks to discover devices, gather MAC addresses, vendors, and hostnames. Includes safety checks to prevent accidental scanning of public networks.
Use when conducting security audits, reviewing code for vulnerabilities, or analyzing infrastructure security. Invoke for SAST scans, penetration testing, DevSecOps practices, cloud security reviews.
Perform network reconnaissance and port scanning with Nmap to find open ports, detect services, identify vulnerabilities, and enumerate targets accurately.
Security engineering toolkit for threat modeling, vulnerability analysis, secure architecture, and penetration testing. Includes STRIDE analysis, OWASP guida...
Plan and orchestrate authorized Nmap host discovery, port and service enumeration, NSE profiling, and reporting artifacts for in-scope targets.
Set up authorized C2 simulation workflows and measure defensive detection outcomes.