API Security Scanner 🔒
Description
Automated security scanner for REST API endpoints. Performs security audit against OWASP API Security Top 10, detecting authentication issues, authorization flaws, data exposure, injection risks, and more.
对 REST API 端点进行自动化安全审计,覆盖 OWASP API 安全 Top 10,检测认证/授权问题、数据泄露、注入风险等常见隐患。
When to Use This Skill
Use this skill when:
- You need to audit API endpoints for security vulnerabilities(审计 API 端点的安全漏洞)
- You want to review API design/config for security best practices(审查 API 设计/配置的安全最佳实践)
- You need to generate a security report before deployment(部署前生成安全报告)
- You're reviewing API documentation for security issues(审查 API 文档中的安全问题)
- You want to harden your API against common attack vectors(加固 API 抵御常见攻击向量)
Usage Modes
Mode 1: Full Scan — 完整扫描
请扫描以下 API 端点的安全问题:
POST /api/v1/users/register
GET /api/v1/users/{id}
PUT /api/v1/users/{id}
DELETE /api/v1/users/{id}
POST /api/v1/auth/login
GET /api/v1/admin/users
Headers: Authorization: Bearer {token}
Mode 2: Quick Check — 快速检查
快速检查这个 API 端点的安全问题:POST /api/v1/payments/charge
Mode 3: Config Audit — 配置审计
审查以下 API 网关/中间件配置的安全性:
(粘贴 nginx.conf / express middleware / Spring Security config 等)
Mode 4: Report Generation — 报告生成
根据以下安全扫描结果,生成一份结构化的安全报告:
(粘贴扫描结果或漏洞列表)
Scanning Dimensions
This skill scans across 6 security dimensions:
- Authentication & Session — 认证与会话管理
- Authorization & Access Control — 授权与访问控制
- Input Validation & Injection — 输入验证与注入防护
- Data Protection & Privacy — 数据保护与隐私
- Rate Limiting & DoS Protection — 速率限制与防 DoS
- Configuration & Infrastructure — 配置与基础设施
Output Format
Each scan produces a structured report with:
- 🔴 Critical — 必须立即修复
- 🟠 High — 高风险,尽快修复
- 🟡 Medium — 中等风险,计划修复
- 🔵 Low — 低风险,建议修复
- ✅ Passed — 通过检查
Knowledge Files
scan-rules.md — 完整扫描规则库(6大维度,100+ 检查项)