功能描述

Discovers and maps API endpoints using passive OSINT and active brute-forcing to assess the exposed attack surface of a web application's API layer.

使用说明 (SKILL.md)

API Endpoint Discovery

Name: Api Endpoint Discovery
Author: snipercat69

Skill Name: api-endpoint-discovery Version: 1.0.0 Category: Security / API / OSINT Price: Lifetime: $39 / Optional Monthly: $7/mo (includes all Pro features permanently) Author: EdgeIQ Labs OpenClaw Compatible: Yes — Python 3, pure stdlib, WSL + Linux

What It Does

Discovers API endpoints for a target domain using passive OSINT (Swagger docs, OpenAPI specs, robots.txt, JavaScript scraping, favicon analysis) and active techniques (path brute-forcing, parameter enumeration). Maps the exposed attack surface of a web application's API layer.

⚠️ Legal Notice: Only audit domains you own or have explicit written authorization to scan. Active brute-forcing should only be used on authorized targets.

Features

Swagger/OpenAPI discovery — locates and parses live API specification files
robots.txt analysis — extracts API-related paths from robots exclusion
JavaScript endpoint extraction — scrapes fetch/axios/XMLHttpRequest calls from JS files
Favicon/asset fingerprinting — extracts API hints from CDN-hosted assets
Path brute-forcing — common API path patterns with wordlist
Parameter enumeration — discovers API query parameter names
API version detection — identifies API version strings in responses
JSON export — structured endpoint inventory

Tier Comparison

Feature	Free	Lifetime ($39)	Optional Monthly ($7/mo)
Target scan	✅ (3 scans)	✅ (unlimited)	✅ (unlimited)
Swagger/OpenAPI discovery	✅	✅	✅
robots.txt analysis	✅	✅	✅
JS endpoint extraction	✅	✅	✅
Favicon fingerprinting	✅	✅	✅
Path brute-forcing	✅	✅	✅
Parameter enumeration	✅	✅	✅
JSON export	✅	✅	✅

Installation

cp -r /home/guy/.openclaw/workspace/apps/api-endpoint-discovery ~/.openclaw/skills/api-endpoint-discovery

Usage

Basic passive discovery (free tier)

python3 endpoint_discovery.py --target "https://api.target.com"

Pro scan with brute-forcing (Pro)

[email protected] python3 endpoint_discovery.py \
  --target "https://api.target.com" --pro

Bundle — full active + passive scan

python3 endpoint_discovery.py --target "https://api.target.com" \
  --bundle --output inventory.json

Parameters

Flag	Type	Default	Description
`--target`	string	—	Target base URL (e.g. https://api.target.com)
`--pro`	flag	False	Enable Pro features
`--bundle`	flag	False	Enable Bundle features
`--wordlist`	string	built-in	Path to custom wordlist for brute-forcing
`--threads`	int	10	Number of concurrent threads
`--output`	string	—	Write JSON inventory to file

Output Example

=== API Endpoint Discovery ===
Target: https://api.target.com

  [1m[92m✔[0m Discovered 24 endpoints across 3 API versions

  Swagger/OpenAPI:
    [1m[92m✔[0m /swagger/v1/api.json — OpenAPI 3.0 spec found
    [1m[92m✔[0m /api-docs — Swagger UI detected

  Endpoints by category:

    Authentication (5 endpoints)
      POST /api/v1/auth/login         — 200 OK
      POST /api/v1/auth/register      — 201 Created
      POST /api/v1/auth/refresh      — 200 OK
      POST /api/v1/auth/logout        — 204 No Content
      GET  /api/v1/auth/session       — 200 OK

    Users (7 endpoints)
      GET  /api/v1/users             — 200 OK (paginated)
      GET  /api/v1/users/:id         — 200 OK
      POST /api/v1/users             — 201 Created
      PUT  /api/v1/users/:id          — 200 OK
      DELETE /api/v1/users/:id       — 204 No Content

    Products (6 endpoints)
      GET  /api/v1/products          — 200 OK
      GET  /api/v1/products/:id     — 200 OK
      POST /api/v1/products         — 201 Created
      ...

  Hidden/exposed sensitive endpoints:
    ⚠️ GET /api/v1/admin/users      — Admin-only, no auth observed
    ⚠️ POST /api/v1/debug/config   — Debug endpoint — INFORMATION EXPOSURE

  Version fingerprinting:
    X-API-Version: 1.2.3
    Server: Apache-Coyote/1.1

  Threat Level: MEDIUM — 2 sensitive endpoints exposed without auth

Pro Upgrade

Full API discovery with brute-forcing, JS scraping, and parameter enumeration:

👉 Buy Lifetime — $39 👉 Subscribe Monthly — $7/mo

Support

Open a ticket in #edgeiq-support or email [email protected]

🔗 More from EdgeIQ Labs

edgeiqlabs.com — Security tools, OSINT utilities, and micro-SaaS products for developers and security professionals.

🛠️ Subdomain Hunter — Passive subdomain enumeration via Certificate Transparency
📸 Screenshot API — URL-to-screenshot API for developers
🔔 uptime.check — URL uptime monitoring with alerts
🛡️ headers.check — HTTP security headers analyzer

👉 Visit edgeiqlabs.com →

安全使用建议

This tool implements expected API discovery capabilities (OpenAPI/Swagger parsing, JS scraping, brute-forcing), but there are red flags you should consider before installing or running it: - Licensing bypass: The code ships with an empty VALID_LICENSES and treats EDGEIQ_EMAIL (and a hardcoded email address) as sufficient to enable 'Pro/Bundle' features. The SKILL.md even tells users to set EDGEIQ_EMAIL to enable Pro — this contradicts the paid model and suggests sloppy or deceptive monetization. - Active scanning risks: The script supports multi-threaded path brute-forcing and parameter enumeration. Running it against domains you don't own or without explicit authorization may be illegal and will likely trigger intrusion detection and potential blocking/legal issues. Only use it against targets you control or have written permission to test. - Local footprint: The tool reads/writes a license under ~/.edgeiq. If you care about disk hygiene, review or sandbox that behavior. - Unknown provenance: Source and homepage are unknown. The package includes support and payment links in SKILL.md, but the licensing implementation is weak. Prefer code from known, verifiable authors or run inside an isolated VM/container and inspect the code yourself before use. Recommendations before installing: - Review the full endpoint_discovery.py and edgeiq_licensing.py files (they are included) to confirm there are no network callbacks or telemetry you don't want. - If you plan to run scans, do so in an isolated environment and only against authorized targets. - If you expect to pay for Pro features, verify the licensing mechanism with the author; do not rely on EDGEIQ_EMAIL as a security/monetization mechanism. - If unsure, avoid installing or run the skill in a disposable container/VM and restrict network access to the target domains only.

功能分析

Type: OpenClaw Skill Name: edgeiq-api-endpoint-discovery Version: 1.4.0 The skill bundle implements a functional API security scanner that performs passive OSINT and active path brute-forcing as described in its documentation. The code (endpoint_discovery.py) uses standard Python libraries to discover Swagger specs, parse robots.txt, and probe common API endpoints. While it includes a commercial licensing model with Stripe payment links and a basic 'Pro' tier check, there is no evidence of data exfiltration, malicious execution, or unauthorized access to the host system.

能力标签

cryptocan-make-purchasesrequires-sensitive-credentials

能力评估

ℹ Purpose & Capability

The name/description match the included scanner code (OpenAPI discovery, JS scraping, path brute-forcing). However the SKILL.md advertises paid Pro/Bundle tiers while the shipped licensing code contains an empty VALID_LICENSES mapping and an obvious shortcut (granting Pro/Bundle if EDGEIQ_EMAIL is set to a specific email). The metadata declares no required env vars but runtime docs instruct users to set EDGEIQ_EMAIL to enable Pro features — this is inconsistent and disproportionate to the stated purpose.

⚠ Instruction Scope

Runtime instructions direct the agent/user to run endpoint_discovery.py which performs passive and active scanning (including path brute-forcing and JS scraping). That behavior is consistent with the stated purpose, but SKILL.md explicitly instructs users to enable Pro via [email protected], effectively encouraging an environment-variable bypass of paid gating. Installation instructions also reference a hardcoded user path (/home/guy/...) which is odd and suggests careless packaging. Active brute-forcing is intrusive by nature and the skill provides multi-threaded scanning — users must not run it against unauthorized targets.

ℹ Install Mechanism

No formal install spec (instruction-only) — code is copied into the agent skills directory per SKILL.md. This is low-risk from an automatic install point of view, but the included files will be written to disk when the user follows the copy command. The copy instruction references a specific local path (/home/guy/...) which is incorrect for general users and indicates sloppy packaging.

⚠ Credentials

The skill declares no required environment variables but the code and docs rely on EDGEIQ_EMAIL and ~/.edgeiq/license.key for license checks. The license check is trivial (specific email is hardcoded to grant bundle) and VALID_LICENSES is empty, effectively allowing users to bypass paid gating by setting an env var. The skill reads/writes under the user's home (~/.edgeiq) which is not strictly necessary for core discovery functionality and widens the local filesystem footprint.

✓ Persistence & Privilege

always:false and there is no evidence the skill requests elevated privileges, installs daemons, or modifies other skills. It reads/writes a per-user license file under ~/.edgeiq which is limited scope and expected for a licensing module, though the behavior is unnecessary for core scanning.

版本历史

v1.4.0

v1.4.0: URGENT FIX — corrected Stripe Payment Link URLs (no suffixes, correct live URLs)

v1.3.0

v1.3.0: CRITICAL FIX — replaced placeholder Stripe URLs with real working Payment Link checkout URLs

v1.2.0

v1.2.0: Dual pricing — Lifetime as primary purchase option with optional monthly. Updated Stripe checkout URLs.

v1.0.0

Initial release: OpenAPI/Swagger discovery, robots.txt parsing, JavaScript endpoint extraction, favicon fingerprinting, path brute-forcing, parameter enumeration, sensitive endpoint detection.

元数据

Slug edgeiq-api-endpoint-discovery

版本 1.4.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 4

常见问题