- Home
- Skills
- Transilienceai
- Communitytools
- Api Portal Discovery
api_portal_discovery_skill
- Python
42
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill transilienceai/communitytools --skill api_portal_discovery- SKILL.md5.2 KB
Overview
This skill discovers public API portals, developer documentation, and OpenAPI/Swagger or GraphQL endpoints for a given domain. It automates subdomain probing, robots.txt parsing, OpenAPI/Swagger discovery and validation, and GraphQL introspection to surface actionable API assets. Results include found subdomains, validated specs, GraphQL endpoints, and developer portal signals.
How this skill works
The skill probes a curated list of API-related subdomains with HTTP HEAD/GET to identify live hosts and redirects. For each candidate it checks common OpenAPI/Swagger paths and validates responses as OpenAPI v3 or Swagger 2.0 specs, extracting metadata like title, version, endpoints count, and auth methods. It also runs a GraphQL introspection query against common GraphQL paths and parses robots.txt for API paths and sitemaps. Developer portals are analyzed for auth methods, SDK mentions, rate-limiting notes, and webhook/versioning signals.
When to use it
- During reconnaissance for bug bounty, pentest, or security research to locate public API assets
- When inventorying an application’s externally exposed API surface and developer portals
- To validate presence of published OpenAPI/Swagger specs or exposed GraphQL introspection
- Before running deeper API testing to identify auth models and versioning strategies
- To collect evidence for responsible disclosure or asset tracking
Best practices
- Respect rate limits (default: ~30 HTTP requests/minute) and throttle probes per domain
- Use safe HTTP methods only (HEAD, GET, OPTIONS) and avoid auth bypass attempts
- Log timestamps and full request/response metadata for audit and triage
- Treat 401/403 as valid discovery signals; schedule authenticated follow-ups if authorized
- Validate OpenAPI responses locally and do not execute code from specs or SDK snippets
Example use cases
- Find api.example.com, docs.example.com, and openapi.json to map a target’s REST surface
- Locate an exposed /graphql endpoint and confirm introspection is enabled for schema enumeration
- Extract Disallow entries from robots.txt that reveal hidden API paths or internal endpoints
- Identify developer portal tech (Swagger UI, ReDoc) and documented auth (OAuth2, API Key)
- Produce a consolidated JSON report of API subdomains, specs, GraphQL endpoints, and evidence
FAQ
No. It uses only safe, unauthenticated methods (HEAD/GET/OPTIONS/POST for GraphQL introspection) and records access-restricted responses as findings.
How does OpenAPI validation work?
It checks for OpenAPI v3 or Swagger 2.0 keys (openapi/swagger, info, paths) and parses metadata locally without executing any spec-provided code.