home / skills / transilienceai / communitytools / api_portal_discovery

api_portal_discovery skill

needs review

/projects/techstack_identification/.claude/skills/api_portal_discovery

This skill discovers public API portals, OpenAPI/Swagger endpoints, and developer docs to map exposure and assist security research.

npx playbooks add skill transilienceai/communitytools --skill api_portal_discovery

Review the files below or copy the command above to add this skill to your agents.

Files (1)

SKILL.md

5.2 KB

---
name: api-portal-discovery
description: Discovers public API portals, developer docs, and OpenAPI/Swagger endpoints
tools: Bash, WebFetch
model: inherit
hooks:
  PreToolUse:
    - matcher: "WebFetch"
      hooks:
        - type: command
          command: "../../../hooks/skills/pre_network_skill_hook.sh"
        - type: command
          command: "../../../hooks/skills/pre_rate_limit_hook.sh"
  PostToolUse:
    - matcher: "WebFetch"
      hooks:
        - type: command
          command: "../../../hooks/skills/post_skill_logging_hook.sh"
---

# API Portal Discovery Skill

## Purpose

Discover public API portals, developer documentation, and OpenAPI/Swagger specification endpoints for a given domain.

## Operations

### 1. check_api_subdomains

Test common API-related subdomains.

**Subdomain Wordlist:**
```
api, developer, developers, dev, docs, documentation,
api-docs, apidocs, api-portal, portal, integrate,
sandbox, public-api, open, openapi, swagger,
rest, graphql, gql, v1, v2, v3
```

**Process:**
1. For each subdomain, construct FQDN
2. Attempt HTTP HEAD request
3. Record status code and redirects
4. Flag successful responses for further analysis

**Example:**
```
Domain: example.com
Test: api.example.com, developers.example.com, docs.example.com, ...
```

### 2. find_openapi_spec

Check for OpenAPI/Swagger specification files.

**Common Paths:**
```
/openapi.json
/openapi.yaml
/swagger.json
/swagger.yaml
/api-docs
/api-docs.json
/v1/openapi.json
/v2/openapi.json
/v3/openapi.json
/docs/openapi.json
/api/openapi.json
/.well-known/openapi.json
/specification/openapi.json
```

**Process:**
1. For each API subdomain found:
2. Test each common path
3. Validate response is valid OpenAPI spec
4. Extract API metadata if found

**OpenAPI Validation:**
```json
{
  "openapi": "3.0.0",  // or "swagger": "2.0"
  "info": {
    "title": "string",
    "version": "string"
  },
  "paths": {...}
}
```

### 3. detect_graphql

Test for GraphQL endpoints.

**Common GraphQL Paths:**
```
/graphql
/gql
/api/graphql
/v1/graphql
/query
```

**Detection Method:**
1. Send POST request with introspection query
2. Check for GraphQL-specific response structure
3. Extract schema metadata if available

**Introspection Query:**
```graphql
{
  __schema {
    types {
      name
    }
  }
}
```

### 4. scan_robots_txt

Extract API paths from robots.txt.

**Process:**
1. Fetch /robots.txt
2. Parse Disallow and Allow directives
3. Identify API-related paths
4. Note any sitemap references

**API Path Patterns in robots.txt:**
```
Disallow: /api/
Disallow: /v1/
Disallow: /internal/
Allow: /api/public/
Sitemap: https://example.com/api-sitemap.xml
```

### 5. analyze_developer_portal

Analyze discovered developer portals for tech signals.

**Signals to Extract:**
- Authentication methods (OAuth, API keys, JWT)
- SDK languages mentioned
- Rate limit documentation
- Webhook support
- API versioning strategy

## Output

```json
{
  "skill": "api_portal_discovery",
  "domain": "string",
  "results": {
    "api_subdomains": [
      {
        "subdomain": "api.example.com",
        "status_code": 200,
        "redirect_to": null,
        "has_openapi": true,
        "has_graphql": false
      }
    ],
    "openapi_specs": [
      {
        "url": "https://api.example.com/openapi.json",
        "version": "3.0.0",
        "title": "Example API",
        "api_version": "1.0.0",
        "endpoints_count": 45,
        "auth_methods": ["oauth2", "apiKey"]
      }
    ],
    "graphql_endpoints": [
      {
        "url": "https://api.example.com/graphql",
        "introspection_enabled": true,
        "types_count": 120
      }
    ],
    "developer_portals": [
      {
        "url": "https://developers.example.com",
        "title": "Example Developer Portal",
        "sdks_mentioned": ["JavaScript", "Python", "Ruby"],
        "auth_methods": ["OAuth 2.0", "API Key"]
      }
    ],
    "robots_txt_findings": {
      "api_paths_disallowed": ["/api/internal/"],
      "api_paths_allowed": ["/api/public/"],
      "sitemaps": ["https://example.com/sitemap.xml"]
    }
  },
  "evidence": [
    {
      "type": "api_endpoint",
      "url": "string",
      "response_code": "number",
      "timestamp": "ISO-8601"
    },
    {
      "type": "openapi_spec",
      "url": "string",
      "version": "string"
    }
  ]
}
```

## Technology Inference from APIs

| Signal | Technology Indication |
|--------|----------------------|
| /swagger-ui/ path | Swagger UI (Java common) |
| /redoc path | ReDoc documentation |
| GraphQL introspection | GraphQL server |
| x-api-key header | Custom auth system |
| OAuth 2.0 in spec | OAuth provider integration |
| /v1/, /v2/ versioning | REST API maturity |

## Rate Limiting

- HTTP requests: 30/minute per domain
- OpenAPI validation: No limit (local parsing)
- GraphQL introspection: 5/minute (can be expensive)

## Error Handling

- 401/403 responses indicate protected APIs (still valuable discovery)
- 404 responses indicate path doesn't exist
- Timeout responses indicate potential API (record for retry)
- Continue discovery even if some paths fail

## Security Considerations

- Only use safe HTTP methods (GET, HEAD, OPTIONS)
- Do not attempt authentication bypass
- Respect rate limits in API documentation
- Log all requests for audit trail
- Do not execute arbitrary code from API specs

Overview

This skill discovers public API portals, developer documentation, and OpenAPI/Swagger or GraphQL endpoints for a given domain. It automates subdomain probing, robots.txt parsing, OpenAPI/Swagger discovery and validation, and GraphQL introspection to surface actionable API assets. Results include found subdomains, validated specs, GraphQL endpoints, and developer portal signals.

How this skill works

The skill probes a curated list of API-related subdomains with HTTP HEAD/GET to identify live hosts and redirects. For each candidate it checks common OpenAPI/Swagger paths and validates responses as OpenAPI v3 or Swagger 2.0 specs, extracting metadata like title, version, endpoints count, and auth methods. It also runs a GraphQL introspection query against common GraphQL paths and parses robots.txt for API paths and sitemaps. Developer portals are analyzed for auth methods, SDK mentions, rate-limiting notes, and webhook/versioning signals.

When to use it

During reconnaissance for bug bounty, pentest, or security research to locate public API assets
When inventorying an application’s externally exposed API surface and developer portals
To validate presence of published OpenAPI/Swagger specs or exposed GraphQL introspection
Before running deeper API testing to identify auth models and versioning strategies
To collect evidence for responsible disclosure or asset tracking

Best practices

Respect rate limits (default: ~30 HTTP requests/minute) and throttle probes per domain
Use safe HTTP methods only (HEAD, GET, OPTIONS) and avoid auth bypass attempts
Log timestamps and full request/response metadata for audit and triage
Treat 401/403 as valid discovery signals; schedule authenticated follow-ups if authorized
Validate OpenAPI responses locally and do not execute code from specs or SDK snippets

Example use cases

Find api.example.com, docs.example.com, and openapi.json to map a target’s REST surface
Locate an exposed /graphql endpoint and confirm introspection is enabled for schema enumeration
Extract Disallow entries from robots.txt that reveal hidden API paths or internal endpoints
Identify developer portal tech (Swagger UI, ReDoc) and documented auth (OAuth2, API Key)
Produce a consolidated JSON report of API subdomains, specs, GraphQL endpoints, and evidence

FAQ

Will the skill attempt authentication or bypass protections?

No. It uses only safe, unauthenticated methods (HEAD/GET/OPTIONS/POST for GraphQL introspection) and records access-restricted responses as findings.

How does OpenAPI validation work?

It checks for OpenAPI v3 or Swagger 2.0 keys (openapi/swagger, info, paths) and parses metadata locally without executing any spec-provided code.