← Back to Skills Marketplace
api-test-suite-builder
by
Alireza Rezvani
· GitHub ↗
· v1.0.0
· MIT-0
410
Downloads
0
Stars
3
Active Installs
2
Versions
Install in OpenClaw
/install api-test-suite-builder
Description
API Test Suite Builder
README (SKILL.md)
API Test Suite Builder
Tier: POWERFUL Category: Engineering Domain: Testing / API Quality
Overview
Scans API route definitions across frameworks (Next.js App Router, Express, FastAPI, Django REST) and auto-generates comprehensive test suites covering auth, input validation, error codes, pagination, file uploads, and rate limiting. Outputs ready-to-run test files for Vitest+Supertest (Node) or Pytest+httpx (Python).
Core Capabilities
- Route detection — scan source files to extract all API endpoints
- Auth coverage — valid/invalid/expired tokens, missing auth header
- Input validation — missing fields, wrong types, boundary values, injection attempts
- Error code matrix — 400/401/403/404/422/500 for each route
- Pagination — first/last/empty/oversized pages
- File uploads — valid, oversized, wrong MIME type, empty
- Rate limiting — burst detection, per-user vs global limits
When to Use
- New API added — generate test scaffold before writing implementation (TDD)
- Legacy API with no tests — scan and generate baseline coverage
- API contract review — verify existing tests match current route definitions
- Pre-release regression check — ensure all routes have at least smoke tests
- Security audit prep — generate adversarial input tests
Route Detection
Next.js App Router
# Find all route handlers
find ./app/api -name "route.ts" -o -name "route.js" | sort
# Extract HTTP methods from each route file
grep -rn "export async function\|export function" app/api/**/route.ts | \
grep -oE "(GET|POST|PUT|PATCH|DELETE|HEAD|OPTIONS)" | sort -u
# Full route map
find ./app/api -name "route.ts" | while read f; do
route=$(echo $f | sed 's|./app||' | sed 's|/route.ts||')
methods=$(grep -oE "export (async )?function (GET|POST|PUT|PATCH|DELETE)" "$f" | \
grep -oE "(GET|POST|PUT|PATCH|DELETE)")
echo "$methods $route"
done
Express
# Find all router files
find ./src -name "*.ts" -o -name "*.js" | xargs grep -l "router\.\(get\|post\|put\|delete\|patch\)" 2>/dev/null
# Extract routes with line numbers
grep -rn "router\.\(get\|post\|put\|delete\|patch\)\|app\.\(get\|post\|put\|delete\|patch\)" \
src/ --include="*.ts" | grep -oE "(get|post|put|delete|patch)\(['\"][^'\"]*['\"]"
# Generate route map
grep -rn "router\.\|app\." src/ --include="*.ts" | \
grep -oE "\.(get|post|put|delete|patch)\(['\"][^'\"]+['\"]" | \
sed "s/\.\(.*\)('\(.*\)'/\U\1 \2/"
FastAPI
# Find all route decorators
grep -rn "@app\.\|@router\." . --include="*.py" | \
grep -E "@(app|router)\.(get|post|put|delete|patch)"
# Extract with path and function name
grep -rn "@\(app\|router\)\.\(get\|post\|put\|delete\|patch\)" . --include="*.py" | \
grep -oE "@(app|router)\.(get|post|put|delete|patch)\(['\"][^'\"]*['\"]"
Django REST Framework
# urlpatterns extraction
grep -rn "path\|re_path\|url(" . --include="*.py" | grep "urlpatterns" -A 50 | \
grep -E "path\(['\"]" | grep -oE "['\"][^'\"]+['\"]" | head -40
# ViewSet router registration
grep -rn "router\.register\|DefaultRouter\|SimpleRouter" . --include="*.py"
Test Generation Patterns
Auth Test Matrix
For every authenticated endpoint, generate:
| Test Case | Expected Status |
|---|---|
| No Authorization header | 401 |
| Invalid token format | 401 |
| Valid token, wrong user role | 403 |
| Expired JWT token | 401 |
| Valid token, correct role | 2xx |
| Token from deleted user | 401 |
Input Validation Matrix
For every POST/PUT/PATCH endpoint with a request body:
| Test Case | Expected Status |
|---|---|
Empty body {} |
400 or 422 |
| Missing required fields (one at a time) | 400 or 422 |
| Wrong type (string where int expected) | 400 or 422 |
| Boundary: value at min-1 | 400 or 422 |
| Boundary: value at min | 2xx |
| Boundary: value at max | 2xx |
| Boundary: value at max+1 | 400 or 422 |
| SQL injection in string field | 400 or 200 (sanitized) |
| XSS payload in string field | 400 or 200 (sanitized) |
| Null values for required fields | 400 or 422 |
Example Test Files
→ See references/example-test-files.md for details
Generating Tests from Route Scan
When given a codebase, follow this process:
- Scan routes using the detection commands above
- Read each route handler to understand:
- Expected request body schema
- Auth requirements (middleware, decorators)
- Return types and status codes
- Business rules (ownership, role checks)
- Generate test file per route group using the patterns above
- Name tests descriptively:
"returns 401 when token is expired"not"auth test 3" - Use factories/fixtures for test data — never hardcode IDs
- Assert response shape, not just status code
Common Pitfalls
- Testing only happy paths — 80% of bugs live in error paths; test those first
- Hardcoded test data IDs — use factories/fixtures; IDs change between environments
- Shared state between tests — always clean up in afterEach/afterAll
- Testing implementation, not behavior — test what the API returns, not how it does it
- Missing boundary tests — off-by-one errors are extremely common in pagination and limits
- Not testing token expiry — expired tokens behave differently from invalid ones
- Ignoring Content-Type — test that API rejects wrong content types (xml when json expected)
Best Practices
- One describe block per endpoint — keeps failures isolated and readable
- Seed minimal data — don't load the entire DB; create only what the test needs
- Use
beforeAllfor shared setup,afterAllfor cleanup — notbeforeEachfor expensive ops - Assert specific error messages/fields, not just status codes
- Test that sensitive fields (password, secret) are never in responses
- For auth tests, always test the "missing header" case separately from "invalid token"
- Add rate limit tests last — they can interfere with other test suites if run in parallel
Usage Guidance
This skill is internally consistent with its stated purpose, but before installing or running it: 1) only run scans and generated tests against development or isolated environments — generated tests include adversarial inputs and may create/delete test data or hit rate limits; 2) review generated test files before executing them, especially any tests that call external services or manipulate data; 3) avoid running the skill on repositories containing production secrets or with credentials loaded into the environment; and 4) on Windows or non-POSIX shells the provided shell commands (find/grep/sed) may not work as written — adapt them or run in a Linux-like environment.
Capability Analysis
Type: OpenClaw Skill
Name: api-test-suite-builder
Version: 1.0.0
The skill is a legitimate engineering tool designed to automate the generation of API test suites for various frameworks like Next.js, Express, and FastAPI. It uses standard shell commands (find, grep, sed) in SKILL.md for route discovery and provides comprehensive test templates in references/example-test-files.md that cover authentication, input validation, and security edge cases. No evidence of data exfiltration, malicious execution, or harmful prompt injection was found.
Capability Assessment
Purpose & Capability
Name/description (API Test Suite Builder) align with the SKILL.md: it scans repo source files for routes and generates tests. No unrelated environment variables, binaries, or install steps are requested.
Instruction Scope
The instructions explicitly tell the agent to scan and read route handler source files (find/grep/etc.) and generate adversarial tests (injection/XSS/rate-limit). This is expected for a test-generator, but it does mean the skill will read project files broadly and produce tests that perform potentially intrusive requests — review generated tests before running them against production systems.
Install Mechanism
Instruction-only skill with no install spec or code to download. Lowest-risk installation footprint; nothing will be written to disk by an installer step.
Credentials
The skill declares no environment variables, credentials, or config paths. The instructions do not request secrets or external tokens. This is proportionate for a static-code-scanning + test-generation tool.
Persistence & Privilege
always:false and normal model-invocation settings. The skill does not request permanent agent-wide presence or to modify other skills; no elevated persistence privileges are requested.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install api-test-suite-builder - After installation, invoke the skill by name or use
/api-test-suite-builder - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial publish
v2.1.1
v2.1.1: optimization, reference splits
Metadata
Frequently Asked Questions
What is api-test-suite-builder?
API Test Suite Builder. It is an AI Agent Skill for Claude Code / OpenClaw, with 410 downloads so far.
How do I install api-test-suite-builder?
Run "/install api-test-suite-builder" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is api-test-suite-builder free?
Yes, api-test-suite-builder is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does api-test-suite-builder support?
api-test-suite-builder is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created api-test-suite-builder?
It is built and maintained by Alireza Rezvani (@alirezarezvani); the current version is v1.0.0.
More Skills