zhongwei/gh-jeremylongshore-claude-code-plugins-plus-plugins-api-development-api-security-scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-29 18:52:40 +08:00
commit c2df1fb3c6
17 changed files with 1469 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
skills/skill-adapter/assets/README.md Normal file
View File

@@ -0,0 +1,7 @@
# Assets
Bundled resources for api-security-scanner skill
- [ ] report_template.md: Markdown template for generating the API security scan report.
- [ ] example_api_response.json: Example API response to demonstrate the structure and format of API data.
- [ ] owasp_logo.png: OWASP logo for inclusion in the report.

32
skills/skill-adapter/assets/config-template.json Normal file
View File

@@ -0,0 +1,32 @@
{
"skill": {
"name": "skill-name",
"version": "1.0.0",
"enabled": true,
"settings": {
"verbose": false,
"autoActivate": true,
"toolRestrictions": true
}
},
"triggers": {
"keywords": [
"example-trigger-1",
"example-trigger-2"
],
"patterns": []
},
"tools": {
"allowed": [
"Read",
"Grep",
"Bash"
],
"restricted": []
},
"metadata": {
"author": "Plugin Author",
"category": "general",
"tags": []
}
}

75
skills/skill-adapter/assets/example_api_response.json Normal file
View File

@@ -0,0 +1,75 @@
{
"_comment": "Example API response from a security scan",
"scan_id": "api-scan-2024-10-27-123456",
"target_url": "https://example.com/api/v1",
"scan_start_time": "2024-10-27T14:00:00Z",
"scan_end_time": "2024-10-27T14:15:00Z",
"scan_status": "completed",
"vulnerabilities": [
{
"vulnerability_id": "API1:2023 Broken Object Level Authorization",
"name": "Broken Object Level Authorization",
"severity": "High",
"description": "API endpoints are vulnerable to broken object level authorization. Attackers can access objects belonging to other users by manipulating object IDs.",
"owasp_category": "OWASP API Security Top 10",
"cwe_id": "CWE-285",
"affected_endpoint": "/users/{user_id}",
"http_method": "GET",
"parameter": "user_id",
"payload": "12345",
"evidence": "Returned user data for user_id 98765 when authenticated as user_id 12345.",
"remediation": "Implement proper authorization checks to ensure users can only access objects they own or have permission to access. Use parameterized queries and avoid direct object references. Consider using a Role-Based Access Control (RBAC) system.",
"references": [
"https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authorization/",
"https://cwe.mitre.org/data/definitions/285.html"
],
"status": "open"
},
{
"vulnerability_id": "API4:2023 Unrestricted Resource Consumption",
"name": "Unrestricted Resource Consumption",
"severity": "Medium",
"description": "API is vulnerable to unrestricted resource consumption. Attackers can exhaust server resources by sending a large number of requests or large payloads.",
"owasp_category": "OWASP API Security Top 10",
"cwe_id": "CWE-400",
"affected_endpoint": "/search",
"http_method": "POST",
"parameter": "query",
"payload": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"evidence": "Server response time increased significantly after sending a large number of requests with large payloads.",
"remediation": "Implement rate limiting, pagination, and input validation to prevent resource exhaustion. Consider using a Content Delivery Network (CDN) to cache static content.",
"references": [
"https://owasp.org/API-Security/editions/2023/en/0xa4-unrestricted-access-to-sensitive-business-flows/",
"https://cwe.mitre.org/data/definitions/400.html"
],
"status": "open"
},
{
"_comment": "Example of a low severity issue",
"vulnerability_id": "API9:2023 Improper Assets Management",
"name": "Improper Assets Management",
"severity": "Low",
"description": "API lacks proper assets management. Debug endpoints are exposed in production.",
"owasp_category": "OWASP API Security Top 10",
"cwe_id": "CWE-1173",
"affected_endpoint": "/debug/healthcheck",
"http_method": "GET",
"parameter": null,
"payload": null,
"evidence": "Debug endpoint /debug/healthcheck is accessible without authentication in production.",
"remediation": "Disable or remove debug endpoints from production environment. Implement proper authentication and authorization for sensitive endpoints.",
"references": [
"https://owasp.org/API-Security/editions/2023/en/0xa9-improper-assets-management/",
"https://cwe.mitre.org/data/definitions/1173.html"
],
"status": "open"
}
],
"scan_summary": {
"total_vulnerabilities": 3,
"high_severity": 1,
"medium_severity": 1,
"low_severity": 1,
"info_severity": 0
}
}

10
skills/skill-adapter/assets/owasp_logo.png Normal file
View File

@@ -0,0 +1,10 @@
// This is a placeholder for the OWASP logo.
// To replace this placeholder with the actual OWASP logo:
// 1. Download the OWASP logo in PNG format from the official OWASP website (https://owasp.org/www-project-top-ten/).
// 2. Open this file (owasp_logo.png) in an image editor (e.g., GIMP, Photoshop, Paint.NET).
// 3. Replace the placeholder content with the downloaded OWASP logo.
// 4. Ensure the file is saved as a PNG with the same name (owasp_logo.png).
//
// This logo will be used in the API Security Scanner report to visually represent the OWASP API Top 10 vulnerabilities.
iVBORw0KGgoAAAANSUhEUgAAAEAAAABAAQMAAACQp+OdAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAgY0hSTQAAeiYAAICEAAD6AAAAgOgAAHUwKANUAAAASUVORK5CYII=

99
skills/skill-adapter/assets/report_template.md Normal file
View File

@@ -0,0 +1,99 @@
# API Security Scan Report
**API Endpoint:** [Insert API Endpoint Here, e.g., `https://api.example.com/v1/users`]
**Scan Date:** [Insert Date Here, e.g., `2024-10-27`]
**Report Generated By:** api-security-scanner@claude-code-plugins-plus
**Report ID:** [Insert a unique Report ID here for tracking, e.g., `API-SCAN-20241027-001`]
## Executive Summary
[Provide a brief overview of the scan results. Highlight the most critical vulnerabilities and their potential impact. For example: `This scan identified several high-severity vulnerabilities, including Broken Authentication and Injection flaws. Immediate remediation is recommended to prevent unauthorized access and data breaches.`]
## Vulnerability Details
This section provides detailed information about each vulnerability identified during the scan, including its severity, description, and recommended remediation steps.
### 1. [Vulnerability Title, e.g., Broken Authentication]
* **OWASP API Security Top 10 Category:** [e.g., API1:2023 Broken Object Level Authorization]
* **Severity:** [e.g., High, Medium, Low, Informational]
* **Description:** [Provide a detailed explanation of the vulnerability. For example: `The API endpoint is vulnerable to Broken Authentication due to weak password policies and the absence of multi-factor authentication. Attackers can potentially gain unauthorized access to user accounts by brute-forcing passwords.`]
* **Affected Endpoint(s):** [List the specific API endpoints affected by the vulnerability. For example: `/api/login`, `/api/reset-password`]
* **Request Example:**
```
POST /api/login
Content-Type: application/json
{
"username": "testuser",
"password": "weakpassword"
}
```
* **Response Example:**
```
{
"status": "success",
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
```
* **Impact:** [Describe the potential impact of the vulnerability. For example: `Successful exploitation could allow attackers to access sensitive user data, perform actions on behalf of users, and potentially compromise the entire system.`]
* **Recommendation:** [Provide specific and actionable remediation steps. For example: `Implement strong password policies, enforce multi-factor authentication, and implement rate limiting to prevent brute-force attacks.`]
* **Evidence:** [Provide evidence or proof of concept that demonstrates the vulnerability. This could include screenshots, logs, or code snippets. Be mindful of sensitive information.]
### 2. [Vulnerability Title, e.g., Injection Vulnerability]
* **OWASP API Security Top 10 Category:** [e.g., API2:2023 Broken User Authentication]
* **Severity:** [e.g., High, Medium, Low, Informational]
* **Description:** [Provide a detailed explanation of the vulnerability. For example: `The API endpoint is vulnerable to SQL injection due to insufficient input validation. Attackers can potentially execute arbitrary SQL queries by injecting malicious code into input fields.`]
* **Affected Endpoint(s):** [List the specific API endpoints affected by the vulnerability. For example: `/api/users/{id}`]
* **Request Example:**
```
GET /api/users/1' OR '1'='1
```
* **Response Example:** [Show the unexpected response indicating injection success, or an error message revealing the backend technology.]
* **Impact:** [Describe the potential impact of the vulnerability. For example: `Successful exploitation could allow attackers to access, modify, or delete sensitive data from the database, potentially leading to data breaches and system compromise.`]
* **Recommendation:** [Provide specific and actionable remediation steps. For example: `Implement proper input validation, use parameterized queries or prepared statements, and apply the principle of least privilege to database access.`]
* **Evidence:** [Provide evidence or proof of concept that demonstrates the vulnerability. This could include screenshots, logs, or code snippets. Be mindful of sensitive information.]
### 3. [Vulnerability Title, e.g., Excessive Data Exposure]
* **OWASP API Security Top 10 Category:** [e.g., API3:2023 Excessive Data Exposure]
* **Severity:** [e.g., High, Medium, Low, Informational]
* **Description:** [Provide a detailed explanation of the vulnerability. For example: `The API endpoint returns more data than necessary, potentially exposing sensitive user information to unauthorized parties.`]
* **Affected Endpoint(s):** [List the specific API endpoints affected by the vulnerability. For example: `/api/profile`]
* **Request Example:**
```
GET /api/profile
```
* **Response Example:**
```json
{
"id": 123,
"username": "testuser",
"email": "testuser@example.com",
"phone_number": "555-123-4567",
"address": "123 Main St",
"credit_card_number": "XXXXXXXXXXXXXXXX"
}
```
* **Impact:** [Describe the potential impact of the vulnerability. For example: `Exposure of sensitive data could lead to identity theft, financial fraud, and privacy violations.`]
* **Recommendation:** [Provide specific and actionable remediation steps. For example: `Implement data filtering and masking to return only the necessary data to the client. Avoid exposing sensitive information such as credit card numbers and social security numbers.`]
* **Evidence:** [Provide evidence or proof of concept that demonstrates the vulnerability. This could include screenshots, logs, or code snippets. Be mindful of sensitive information.]
**(Repeat the above section for each identified vulnerability)**
## Conclusion
[Summarize the overall security posture of the API based on the scan results. Emphasize the importance of addressing the identified vulnerabilities and provide recommendations for ongoing security testing and monitoring. For example: `The API has several critical vulnerabilities that require immediate attention. Addressing these vulnerabilities is crucial to protect sensitive data and prevent potential security breaches. Regular security scans and penetration testing are recommended to maintain a strong security posture.`]
## Disclaimer
This report is based on the results of an automated security scan and should be used as a starting point for further investigation and remediation. It is important to manually verify the findings and implement appropriate security measures to mitigate the identified vulnerabilities. The effectiveness of the remediation steps depends on the specific implementation and configuration of the API.

28
skills/skill-adapter/assets/skill-schema.json Normal file
View File

@@ -0,0 +1,28 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Claude Skill Configuration",
"type": "object",
"required": ["name", "description"],
"properties": {
"name": {
"type": "string",
"pattern": "^[a-z0-9-]+$",
"maxLength": 64,
"description": "Skill identifier (lowercase, hyphens only)"
},
"description": {
"type": "string",
"maxLength": 1024,
"description": "What the skill does and when to use it"
},
"allowed-tools": {
"type": "string",
"description": "Comma-separated list of allowed tools"
},
"version": {
"type": "string",
"pattern": "^\\d+\\.\\d+\\.\\d+$",
"description": "Semantic version (x.y.z)"
}
}
}

27
skills/skill-adapter/assets/test-data.json Normal file
View File

@@ -0,0 +1,27 @@
{
"testCases": [
{
"name": "Basic activation test",
"input": "trigger phrase example",
"expected": {
"activated": true,
"toolsUsed": ["Read", "Grep"],
"success": true
}
},
{
"name": "Complex workflow test",
"input": "multi-step trigger example",
"expected": {
"activated": true,
"steps": 3,
"toolsUsed": ["Read", "Write", "Bash"],
"success": true
}
}
],
"fixtures": {
"sampleInput": "example data",
"expectedOutput": "processed result"
}
}

8
skills/skill-adapter/references/README.md Normal file
View File

@@ -0,0 +1,8 @@
# References
Bundled resources for api-security-scanner skill
- [ ] owasp_api_top_10.md: Detailed documentation of each OWASP API Security Top 10 vulnerability, including examples and attack vectors.
- [ ] api_security_best_practices.md: A guide to API security best practices, covering topics such as authentication, authorization, input validation, and error handling.
- [ ] api_schema_example.json: Example API schema to demonstrate how to define and validate API endpoints.
- [ ] api_scan_configuration.md: Documentation on how to configure the API security scanner, including setting scan parameters, defining target APIs, and specifying authentication methods.

69
skills/skill-adapter/references/best-practices.md Normal file
View File

@@ -0,0 +1,69 @@
# Skill Best Practices
Guidelines for optimal skill usage and development.
## For Users
### Activation Best Practices
1. **Use Clear Trigger Phrases**
- Match phrases from skill description
- Be specific about intent
- Provide necessary context
2. **Provide Sufficient Context**
- Include relevant file paths
- Specify scope of analysis
- Mention any constraints
3. **Understand Tool Permissions**
- Check allowed-tools in frontmatter
- Know what the skill can/cannot do
- Request appropriate actions
### Workflow Optimization
- Start with simple requests
- Build up to complex workflows
- Verify each step before proceeding
- Use skill consistently for related tasks
## For Developers
### Skill Development Guidelines
1. **Clear Descriptions**
- Include explicit trigger phrases
- Document all capabilities
- Specify limitations
2. **Proper Tool Permissions**
- Use minimal necessary tools
- Document security implications
- Test with restricted tools
3. **Comprehensive Documentation**
- Provide usage examples
- Document common pitfalls
- Include troubleshooting guide
### Maintenance
- Keep version updated
- Test after tool updates
- Monitor user feedback
- Iterate on descriptions
## Performance Tips
- Scope skills to specific domains
- Avoid overlapping trigger phrases
- Keep descriptions under 1024 chars
- Test activation reliability
## Security Considerations
- Never include secrets in skill files
- Validate all inputs
- Use read-only tools when possible
- Document security requirements

70
skills/skill-adapter/references/examples.md Normal file
View File

@@ -0,0 +1,70 @@
# Skill Usage Examples
This document provides practical examples of how to use this skill effectively.
## Basic Usage
### Example 1: Simple Activation
**User Request:**
```
[Describe trigger phrase here]
```
**Skill Response:**
1. Analyzes the request
2. Performs the required action
3. Returns results
### Example 2: Complex Workflow
**User Request:**
```
[Describe complex scenario]
```
**Workflow:**
1. Step 1: Initial analysis
2. Step 2: Data processing
3. Step 3: Result generation
4. Step 4: Validation
## Advanced Patterns
### Pattern 1: Chaining Operations
Combine this skill with other tools:
```
Step 1: Use this skill for [purpose]
Step 2: Chain with [other tool]
Step 3: Finalize with [action]
```
### Pattern 2: Error Handling
If issues occur:
- Check trigger phrase matches
- Verify context is available
- Review allowed-tools permissions
## Tips & Best Practices
- ✅ Be specific with trigger phrases
- ✅ Provide necessary context
- ✅ Check tool permissions match needs
- ❌ Avoid vague requests
- ❌ Don't mix unrelated tasks
## Common Issues
**Issue:** Skill doesn't activate
**Solution:** Use exact trigger phrases from description
**Issue:** Unexpected results
**Solution:** Check input format and context
## See Also
- Main SKILL.md for full documentation
- scripts/ for automation helpers
- assets/ for configuration examples

7
skills/skill-adapter/scripts/README.md Normal file
View File

@@ -0,0 +1,7 @@
# Scripts
Bundled resources for api-security-scanner skill
- [ ] api_scan.py: Script to perform the API security scan, handling authentication, request building, and response parsing.
- [ ] report_generator.py: Script to generate a formatted report (e.g., Markdown, JSON) of the scan results.
- [ ] remediation_guidance.py: Script to provide specific remediation steps based on the identified vulnerabilities.

42
skills/skill-adapter/scripts/helper-template.sh Executable file
View File

@@ -0,0 +1,42 @@
#!/bin/bash
# Helper script template for skill automation
# Customize this for your skill's specific needs
set -e
function show_usage() {
echo "Usage: $0 [options]"
echo ""
echo "Options:"
echo " -h, --help Show this help message"
echo " -v, --verbose Enable verbose output"
echo ""
}
# Parse arguments
VERBOSE=false
while [[ $# -gt 0 ]]; do
case $1 in
-h|--help)
show_usage
exit 0
;;
-v|--verbose)
VERBOSE=true
shift
;;
*)
echo "Unknown option: $1"
show_usage
exit 1
;;
esac
done
# Your skill logic here
if [ "$VERBOSE" = true ]; then
echo "Running skill automation..."
fi
echo "✅ Complete"

32
skills/skill-adapter/scripts/validation.sh Executable file
View File

@@ -0,0 +1,32 @@
#!/bin/bash
# Skill validation helper
# Validates skill activation and functionality
set -e
echo "🔍 Validating skill..."
# Check if SKILL.md exists
if [ ! -f "../SKILL.md" ]; then
echo "❌ Error: SKILL.md not found"
exit 1
fi
# Validate frontmatter
if ! grep -q "^---$" "../SKILL.md"; then
echo "❌ Error: No frontmatter found"
exit 1
fi
# Check required fields
if ! grep -q "^name:" "../SKILL.md"; then
echo "❌ Error: Missing 'name' field"
exit 1
fi
if ! grep -q "^description:" "../SKILL.md"; then
echo "❌ Error: Missing 'description' field"
exit 1
fi
echo "✅ Skill validation passed"