← 返回 Skills 市场

Api Security Scanner

Name: Api Security Scanner
Author: caingao

作者 VelenGao · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ✓ 安全检测通过

总下载

当前安装

版本数

在 OpenClaw 中安装

/install api-security-scanner

功能描述

API 安全扫描工具。对 REST API 端点进行自动化安全审计，检测 OWASP Top 10 漏洞、认证/授权问题、敏感数据泄露、速率限制缺失等常见安全隐患。输出结构化安全报告。适合开发者在部署前快速自检，也适合安全团队做轻量级审计。

使用说明 (SKILL.md)

API Security Scanner 🔒

Description

Automated security scanner for REST API endpoints. Performs security audit against OWASP API Security Top 10, detecting authentication issues, authorization flaws, data exposure, injection risks, and more.

对 REST API 端点进行自动化安全审计，覆盖 OWASP API 安全 Top 10，检测认证/授权问题、数据泄露、注入风险等常见隐患。

When to Use This Skill

Use this skill when:

You need to audit API endpoints for security vulnerabilities（审计 API 端点的安全漏洞）
You want to review API design/config for security best practices（审查 API 设计/配置的安全最佳实践）
You need to generate a security report before deployment（部署前生成安全报告）
You're reviewing API documentation for security issues（审查 API 文档中的安全问题）
You want to harden your API against common attack vectors（加固 API 抵御常见攻击向量）

Usage Modes

Mode 1: Full Scan — 完整扫描

请扫描以下 API 端点的安全问题：

POST /api/v1/users/register
GET /api/v1/users/{id}
PUT /api/v1/users/{id}
DELETE /api/v1/users/{id}
POST /api/v1/auth/login
GET /api/v1/admin/users

Headers: Authorization: Bearer {token}

Mode 2: Quick Check — 快速检查

快速检查这个 API 端点的安全问题：POST /api/v1/payments/charge

Mode 3: Config Audit — 配置审计

审查以下 API 网关/中间件配置的安全性：

（粘贴 nginx.conf / express middleware / Spring Security config 等）

Mode 4: Report Generation — 报告生成

根据以下安全扫描结果，生成一份结构化的安全报告：

（粘贴扫描结果或漏洞列表）

Scanning Dimensions

This skill scans across 6 security dimensions:

Authentication & Session — 认证与会话管理
Authorization & Access Control — 授权与访问控制
Input Validation & Injection — 输入验证与注入防护
Data Protection & Privacy — 数据保护与隐私
Rate Limiting & DoS Protection — 速率限制与防 DoS
Configuration & Infrastructure — 配置与基础设施

Output Format

Each scan produces a structured report with:

🔴 Critical — 必须立即修复
🟠 High — 高风险，尽快修复
🟡 Medium — 中等风险，计划修复
🔵 Low — 低风险，建议修复
✅ Passed — 通过检查

Knowledge Files

scan-rules.md — 完整扫描规则库（6大维度，100+ 检查项）

安全使用建议

Use sanitized examples where possible. Do not paste production bearer tokens, API keys, private keys, customer data, internal-only hostnames, or unredacted vulnerability reports unless you have approval and understand how the skill platform handles submitted text.

能力标签

requires-oauth-tokenrequires-sensitive-credentials

能力评估

✓ Purpose & Capability

The skill provides REST API security review guidance, checklist rules, and report templates for authentication, authorization, injection, privacy, rate limiting, and configuration issues.

ℹ Instruction Scope

The usage examples ask users to paste API endpoints, gateway or framework configs, and vulnerability findings; this is purpose-aligned but can involve sensitive internal information.

✓ Install Mechanism

The only install instruction is a standard ClawHub install command, and the artifact contains only markdown files with no executable setup scripts or dependencies.

✓ Credentials

The artifacts do not request shell execution, local filesystem access, live network scanning authority, credential storage, or mutation of user systems.

✓ Persistence & Privilege

No persistence mechanism, background process, privilege escalation, credential harvesting, or destructive behavior is present.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install api-security-scanner
安装完成后，直接呼叫该 Skill 的名称或使用 /api-security-scanner 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release - REST API安全扫描工具，6大维度100+检查项，覆盖OWASP API Top 10

元数据

Slug api-security-scanner

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题