api_portal_discovery_skill

This skill discovers public API portals, OpenAPI/Swagger endpoints, and developer docs to map exposure and assist security research.
  • Python

42

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill transilienceai/communitytools --skill api_portal_discovery

  • SKILL.md5.2 KB

Overview

This skill discovers public API portals, developer documentation, and OpenAPI/Swagger or GraphQL endpoints for a given domain. It automates subdomain probing, robots.txt parsing, OpenAPI/Swagger discovery and validation, and GraphQL introspection to surface actionable API assets. Results include found subdomains, validated specs, GraphQL endpoints, and developer portal signals.

How this skill works

The skill probes a curated list of API-related subdomains with HTTP HEAD/GET to identify live hosts and redirects. For each candidate it checks common OpenAPI/Swagger paths and validates responses as OpenAPI v3 or Swagger 2.0 specs, extracting metadata like title, version, endpoints count, and auth methods. It also runs a GraphQL introspection query against common GraphQL paths and parses robots.txt for API paths and sitemaps. Developer portals are analyzed for auth methods, SDK mentions, rate-limiting notes, and webhook/versioning signals.

When to use it

  • During reconnaissance for bug bounty, pentest, or security research to locate public API assets
  • When inventorying an application’s externally exposed API surface and developer portals
  • To validate presence of published OpenAPI/Swagger specs or exposed GraphQL introspection
  • Before running deeper API testing to identify auth models and versioning strategies
  • To collect evidence for responsible disclosure or asset tracking

Best practices

  • Respect rate limits (default: ~30 HTTP requests/minute) and throttle probes per domain
  • Use safe HTTP methods only (HEAD, GET, OPTIONS) and avoid auth bypass attempts
  • Log timestamps and full request/response metadata for audit and triage
  • Treat 401/403 as valid discovery signals; schedule authenticated follow-ups if authorized
  • Validate OpenAPI responses locally and do not execute code from specs or SDK snippets

Example use cases

  • Find api.example.com, docs.example.com, and openapi.json to map a target’s REST surface
  • Locate an exposed /graphql endpoint and confirm introspection is enabled for schema enumeration
  • Extract Disallow entries from robots.txt that reveal hidden API paths or internal endpoints
  • Identify developer portal tech (Swagger UI, ReDoc) and documented auth (OAuth2, API Key)
  • Produce a consolidated JSON report of API subdomains, specs, GraphQL endpoints, and evidence

FAQ

No. It uses only safe, unauthenticated methods (HEAD/GET/OPTIONS/POST for GraphQL introspection) and records access-restricted responses as findings.

How does OpenAPI validation work?

It checks for OpenAPI v3 or Swagger 2.0 keys (openapi/swagger, info, paths) and parses metadata locally without executing any spec-provided code.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
api_portal_discovery skill by transilienceai/communitytools | VeilStrat