Initial commit

skills/skill-adapter/assets/README.md

@@ -0,0 +1,7 @@
+# Assets
+
+Bundled resources for api-security-scanner skill
+
+- [ ] report_template.md: Markdown template for generating the API security scan report.
+- [ ] example_api_response.json: Example API response to demonstrate the structure and format of API data.
+- [ ] owasp_logo.png: OWASP logo for inclusion in the report.

skills/skill-adapter/assets/config-template.json

@@ -0,0 +1,32 @@
+{
+  "skill": {
+    "name": "skill-name",
+    "version": "1.0.0",
+    "enabled": true,
+    "settings": {
+      "verbose": false,
+      "autoActivate": true,
+      "toolRestrictions": true
+    }
+  },
+  "triggers": {
+    "keywords": [
+      "example-trigger-1",
+      "example-trigger-2"
+    ],
+    "patterns": []
+  },
+  "tools": {
+    "allowed": [
+      "Read",
+      "Grep",
+      "Bash"
+    ],
+    "restricted": []
+  },
+  "metadata": {
+    "author": "Plugin Author",
+    "category": "general",
+    "tags": []
+  }
+}

skills/skill-adapter/assets/example_api_response.json

@@ -0,0 +1,75 @@
+{
+  "_comment": "Example API response from a security scan",
+  "scan_id": "api-scan-2024-10-27-123456",
+  "target_url": "https://example.com/api/v1",
+  "scan_start_time": "2024-10-27T14:00:00Z",
+  "scan_end_time": "2024-10-27T14:15:00Z",
+  "scan_status": "completed",
+  "vulnerabilities": [
+    {
+      "vulnerability_id": "API1:2023 Broken Object Level Authorization",
+      "name": "Broken Object Level Authorization",
+      "severity": "High",
+      "description": "API endpoints are vulnerable to broken object level authorization. Attackers can access objects belonging to other users by manipulating object IDs.",
+      "owasp_category": "OWASP API Security Top 10",
+      "cwe_id": "CWE-285",
+      "affected_endpoint": "/users/{user_id}",
+      "http_method": "GET",
+      "parameter": "user_id",
+      "payload": "12345",
+      "evidence": "Returned user data for user_id 98765 when authenticated as user_id 12345.",
+      "remediation": "Implement proper authorization checks to ensure users can only access objects they own or have permission to access.  Use parameterized queries and avoid direct object references.  Consider using a Role-Based Access Control (RBAC) system.",
+      "references": [
+        "https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authorization/",
+        "https://cwe.mitre.org/data/definitions/285.html"
+      ],
+      "status": "open"
+    },
+    {
+      "vulnerability_id": "API4:2023 Unrestricted Resource Consumption",
+      "name": "Unrestricted Resource Consumption",
+      "severity": "Medium",
+      "description": "API is vulnerable to unrestricted resource consumption.  Attackers can exhaust server resources by sending a large number of requests or large payloads.",
+      "owasp_category": "OWASP API Security Top 10",
+      "cwe_id": "CWE-400",
+      "affected_endpoint": "/search",
+      "http_method": "POST",
+      "parameter": "query",
+      "payload": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
+      "evidence": "Server response time increased significantly after sending a large number of requests with large payloads.",
+      "remediation": "Implement rate limiting, pagination, and input validation to prevent resource exhaustion. Consider using a Content Delivery Network (CDN) to cache static content.",
+      "references": [
+        "https://owasp.org/API-Security/editions/2023/en/0xa4-unrestricted-access-to-sensitive-business-flows/",
+        "https://cwe.mitre.org/data/definitions/400.html"
+      ],
+      "status": "open"
+    },
+    {
+      "_comment": "Example of a low severity issue",
+      "vulnerability_id": "API9:2023 Improper Assets Management",
+      "name": "Improper Assets Management",
+      "severity": "Low",
+      "description": "API lacks proper assets management.  Debug endpoints are exposed in production.",
+      "owasp_category": "OWASP API Security Top 10",
+      "cwe_id": "CWE-1173",
+      "affected_endpoint": "/debug/healthcheck",
+      "http_method": "GET",
+      "parameter": null,
+      "payload": null,
+      "evidence": "Debug endpoint /debug/healthcheck is accessible without authentication in production.",
+      "remediation": "Disable or remove debug endpoints from production environment. Implement proper authentication and authorization for sensitive endpoints.",
+      "references": [
+        "https://owasp.org/API-Security/editions/2023/en/0xa9-improper-assets-management/",
+        "https://cwe.mitre.org/data/definitions/1173.html"
+      ],
+      "status": "open"
+    }
+  ],
+  "scan_summary": {
+    "total_vulnerabilities": 3,
+    "high_severity": 1,
+    "medium_severity": 1,
+    "low_severity": 1,
+    "info_severity": 0
+  }
+}

skills/skill-adapter/assets/owasp_logo.png

@@ -0,0 +1,10 @@
+// This is a placeholder for the OWASP logo.
+// To replace this placeholder with the actual OWASP logo:
+// 1. Download the OWASP logo in PNG format from the official OWASP website (https://owasp.org/www-project-top-ten/).
+// 2. Open this file (owasp_logo.png) in an image editor (e.g., GIMP, Photoshop, Paint.NET).
+// 3. Replace the placeholder content with the downloaded OWASP logo.
+// 4. Ensure the file is saved as a PNG with the same name (owasp_logo.png).
+//
+// This logo will be used in the API Security Scanner report to visually represent the OWASP API Top 10 vulnerabilities.
+
+iVBORw0KGgoAAAANSUhEUgAAAEAAAABAAQMAAACQp+OdAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAgY0hSTQAAeiYAAICEAAD6AAAAgOgAAHUwKANUAAAASUVORK5CYII=

skills/skill-adapter/assets/report_template.md

@@ -0,0 +1,99 @@
+# API Security Scan Report
+
+**API Endpoint:** [Insert API Endpoint Here, e.g., `https://api.example.com/v1/users`]
+
+**Scan Date:** [Insert Date Here, e.g., `2024-10-27`]
+
+**Report Generated By:** api-security-scanner@claude-code-plugins-plus
+
+**Report ID:** [Insert a unique Report ID here for tracking, e.g., `API-SCAN-20241027-001`]
+
+## Executive Summary
+
+[Provide a brief overview of the scan results.  Highlight the most critical vulnerabilities and their potential impact.  For example: `This scan identified several high-severity vulnerabilities, including Broken Authentication and Injection flaws.  Immediate remediation is recommended to prevent unauthorized access and data breaches.`]
+
+## Vulnerability Details
+
+This section provides detailed information about each vulnerability identified during the scan, including its severity, description, and recommended remediation steps.
+
+### 1. [Vulnerability Title, e.g., Broken Authentication]
+
+*   **OWASP API Security Top 10 Category:** [e.g., API1:2023 Broken Object Level Authorization]
+*   **Severity:** [e.g., High, Medium, Low, Informational]
+*   **Description:** [Provide a detailed explanation of the vulnerability.  For example: `The API endpoint is vulnerable to Broken Authentication due to weak password policies and the absence of multi-factor authentication. Attackers can potentially gain unauthorized access to user accounts by brute-forcing passwords.`]
+*   **Affected Endpoint(s):** [List the specific API endpoints affected by the vulnerability.  For example: `/api/login`, `/api/reset-password`]
+*   **Request Example:**
+
+    ```
+    POST /api/login
+    Content-Type: application/json
+
+    {
+      "username": "testuser",
+      "password": "weakpassword"
+    }
+    ```
+*   **Response Example:**
+
+    ```
+    {
+      "status": "success",
+      "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
+    }
+    ```
+*   **Impact:** [Describe the potential impact of the vulnerability. For example: `Successful exploitation could allow attackers to access sensitive user data, perform actions on behalf of users, and potentially compromise the entire system.`]
+*   **Recommendation:** [Provide specific and actionable remediation steps. For example: `Implement strong password policies, enforce multi-factor authentication, and implement rate limiting to prevent brute-force attacks.`]
+*   **Evidence:** [Provide evidence or proof of concept that demonstrates the vulnerability. This could include screenshots, logs, or code snippets.  Be mindful of sensitive information.]
+
+### 2. [Vulnerability Title, e.g., Injection Vulnerability]
+
+*   **OWASP API Security Top 10 Category:** [e.g., API2:2023 Broken User Authentication]
+*   **Severity:** [e.g., High, Medium, Low, Informational]
+*   **Description:** [Provide a detailed explanation of the vulnerability. For example: `The API endpoint is vulnerable to SQL injection due to insufficient input validation. Attackers can potentially execute arbitrary SQL queries by injecting malicious code into input fields.`]
+*   **Affected Endpoint(s):** [List the specific API endpoints affected by the vulnerability. For example: `/api/users/{id}`]
+*   **Request Example:**
+
+    ```
+    GET /api/users/1' OR '1'='1
+    ```
+*   **Response Example:** [Show the unexpected response indicating injection success, or an error message revealing the backend technology.]
+*   **Impact:** [Describe the potential impact of the vulnerability. For example: `Successful exploitation could allow attackers to access, modify, or delete sensitive data from the database, potentially leading to data breaches and system compromise.`]
+*   **Recommendation:** [Provide specific and actionable remediation steps. For example: `Implement proper input validation, use parameterized queries or prepared statements, and apply the principle of least privilege to database access.`]
+*   **Evidence:** [Provide evidence or proof of concept that demonstrates the vulnerability. This could include screenshots, logs, or code snippets. Be mindful of sensitive information.]
+
+### 3. [Vulnerability Title, e.g., Excessive Data Exposure]
+
+*   **OWASP API Security Top 10 Category:** [e.g., API3:2023 Excessive Data Exposure]
+*   **Severity:** [e.g., High, Medium, Low, Informational]
+*   **Description:** [Provide a detailed explanation of the vulnerability. For example: `The API endpoint returns more data than necessary, potentially exposing sensitive user information to unauthorized parties.`]
+*   **Affected Endpoint(s):** [List the specific API endpoints affected by the vulnerability. For example: `/api/profile`]
+*   **Request Example:**
+
+    ```
+    GET /api/profile
+    ```
+*   **Response Example:**
+
+    ```json
+    {
+      "id": 123,
+      "username": "testuser",
+      "email": "testuser@example.com",
+      "phone_number": "555-123-4567",
+      "address": "123 Main St",
+      "credit_card_number": "XXXXXXXXXXXXXXXX"
+    }
+    ```
+*   **Impact:** [Describe the potential impact of the vulnerability. For example: `Exposure of sensitive data could lead to identity theft, financial fraud, and privacy violations.`]
+*   **Recommendation:** [Provide specific and actionable remediation steps. For example: `Implement data filtering and masking to return only the necessary data to the client. Avoid exposing sensitive information such as credit card numbers and social security numbers.`]
+*   **Evidence:** [Provide evidence or proof of concept that demonstrates the vulnerability. This could include screenshots, logs, or code snippets. Be mindful of sensitive information.]
+
+**(Repeat the above section for each identified vulnerability)**
+
+## Conclusion
+
+[Summarize the overall security posture of the API based on the scan results. Emphasize the importance of addressing the identified vulnerabilities and provide recommendations for ongoing security testing and monitoring.  For example: `The API has several critical vulnerabilities that require immediate attention.  Addressing these vulnerabilities is crucial to protect sensitive data and prevent potential security breaches.  Regular security scans and penetration testing are recommended to maintain a strong security posture.`]
+
+## Disclaimer
+
+This report is based on the results of an automated security scan and should be used as a starting point for further investigation and remediation. It is important to manually verify the findings and implement appropriate security measures to mitigate the identified vulnerabilities. The effectiveness of the remediation steps depends on the specific implementation and configuration of the API.

skills/skill-adapter/assets/skill-schema.json

@@ -0,0 +1,28 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "Claude Skill Configuration",
+  "type": "object",
+  "required": ["name", "description"],
+  "properties": {
+    "name": {
+      "type": "string",
+      "pattern": "^[a-z0-9-]+$",
+      "maxLength": 64,
+      "description": "Skill identifier (lowercase, hyphens only)"
+    },
+    "description": {
+      "type": "string",
+      "maxLength": 1024,
+      "description": "What the skill does and when to use it"
+    },
+    "allowed-tools": {
+      "type": "string",
+      "description": "Comma-separated list of allowed tools"
+    },
+    "version": {
+      "type": "string",
+      "pattern": "^\\d+\\.\\d+\\.\\d+$",
+      "description": "Semantic version (x.y.z)"
+    }
+  }
+}

skills/skill-adapter/assets/test-data.json

@@ -0,0 +1,27 @@
+{
+  "testCases": [
+    {
+      "name": "Basic activation test",
+      "input": "trigger phrase example",
+      "expected": {
+        "activated": true,
+        "toolsUsed": ["Read", "Grep"],
+        "success": true
+      }
+    },
+    {
+      "name": "Complex workflow test",
+      "input": "multi-step trigger example",
+      "expected": {
+        "activated": true,
+        "steps": 3,
+        "toolsUsed": ["Read", "Write", "Bash"],
+        "success": true
+      }
+    }
+  ],
+  "fixtures": {
+    "sampleInput": "example data",
+    "expectedOutput": "processed result"
+  }
+}