实施安全 API 实践的指南,包括身份验证、授权、输入验证、速率限制和针对常见 API 漏洞的保护...
数据来源:ClawHub。 在 ClawSkills 查看
选择你使用的 Agent
方法一:命令行安装(推荐)
推荐(无需提前安装 clawhub)
npx clawhub@latest --dir ~/.claude/skills install api-security或使用 clawhub CLI(需提前安装)
clawhub --dir ~/.claude/skills install api-security⚠️ 需要 Node.js 18+,没有 Node?请使用下方方法二直接下载 ZIP。 安装 Node.js →
方法二:手动下载安装(无需 Node)
下载 ZIP,解压后将文件夹放到以下路径,重启 Agent 即可:
安装路径
~/.claude/skills/api-security/💡解压后将文件夹放到上方路径,重启 Agent 即可生效
Implement secure API design patterns including authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities.
USE WHEN:
DON'T USE WHEN:
vulnerability-scanner skill)OUTPUTS:
---
---
// auth.js
const jwt = require('jsonwebtoken');
const bcrypt = require('bcrypt');
app.post('/api/auth/login', async (req, res) => {
try {
const { email, password } = req.body;
// Validate input
if (!email || !password) {
return res.status(400).json({ error: 'Email and password required' });
}
// Find user
const user = await db.user.findUnique({ where: { email } });
if (!user) {
// Don't reveal if user exists
return res.status(401).json({ error: 'Invalid credentials' });
}
// Verify password
const validPassword = await bcrypt.compare(password, user.passwordHash);
if (!validPassword) {
return res.status(401).json({ error: 'Invalid credentials' });
}
// Generate JWT token
const token = jwt.sign(
{ userId: user.id, email: user.email, role: user.role },
process.env.JWT_SECRET,
{ expiresIn: '1h', issuer: 'your-app', audience: 'your-app-users' }
);
// Generate refresh token
const refreshToken = jwt.sign(
{ userId: user.id },
process.env.JWT_REFRESH_SECRET,
{ expiresIn: '7d' }
);
// Store refresh token in database
await db.refreshToken.create({
data: {
token: refreshToken,
userId: user.id,
expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000)
}
});
res.json({ token, refreshToken, expiresIn: 3600 });
} catch (error) {
console.error('Login error:', error);
res.status(500).json({ error: 'An error occurred during login' });
}
});// middleware/auth.js
const jwt = require('jsonwebtoken');
function authenticateToken(req, res, next) {
const authHeader = req.headers['authorization'];
const token = authHeader && authHeader.split(' ')[1]; // Bearer TOKEN
if (!token) {
return res.status(401).json({ error: 'Access token required' });
}
jwt.verify(
token,
process.env.JWT_SECRET,
{ issuer: 'your-app', audience: 'your-app-users' },
(err, user) => {
if (err) {
if (err.name === 'TokenExpiredError') {
return res.status(401).json({ error: 'Token expired' });
}
return res.status(403).json({ error: 'Invalid token' });
}
req.user = user;
next();
}
);
}
module.exports = { authenticateToken };---
// NEVER DO THIS - SQL Injection vulnerability
app.get('/api/users/:id', async (req, res) => {
const userId = req.params.id;
const query = `SELECT * FROM users WHERE id = '${userId}'`;
const user = await db.query(query);
res.json(user);
});
// Attack: GET /api/users/1' OR '1'='1 → Returns all users!app.get('/api/users/:id', async (req, res) => {
const userId = req.params.id;
// Validate input first
if (!userId || !/^\d+$/.test(userId)) {
return res.status(400).json({ error: 'Invalid user ID' });
}
// Use parameterized query
const user = await db.query(
'SELECT id, email, name FROM users WHERE id = $1',
[userId]
);
if (!user) {
return res.status(404).json({ error: 'User not found' });
}
res.json(user);
});app.get('/api/users/:id', async (req, res) => {
const userId = parseInt(req.params.id);
if (isNaN(userId)) {
return res.status(400).json({ error: 'Invalid user ID' });
}
const user = await prisma.user.findUnique({
where: { id: userId },
select: { id: true, email: true, name: true } // Don't select sensitive fields
});
if (!user) {
return res.status(404).json({ error: 'User not found' });
}
res.json(user);
});const { z } = require('zod');
const createUserSchema = z.object({
email: z.string().email('Invalid email format'),
password: z.string()
.min(8, 'Password must be at least 8 characters')
.regex(/[A-Z]/, 'Must contain uppercase letter')
.regex(/[a-z]/, 'Must contain lowercase letter')
.regex(/[0-9]/, 'Must contain number'),
name: z.string().min(2).max(100),
age: z.number().int().min(18).max(120).optional()
});
function validateRequest(schema) {
return (req, res, next) => {
try {
schema.parse(req.body);
next();
} catch (error) {
res.status(400).json({ error: 'Validation failed', details: error.errors });
}
};
}
app.post('/api/users', validateRequest(createUserSchema), async (req, res) => {
// Input is validated at this point
const { email, password, name, age } = req.body;
const passwordHash = await bcrypt.hash(password, 10);
const user = await prisma.user.create({ data: { email, passwordHash, name, age } });
const { passwordHash: _, ...userWithoutPassword } = user;
res.status(201).json(userWithoutPassword);
});---
const rateLimit = require('express-rate-limit');
const RedisStore = require('rate-limit-redis');
const Redis = require('ioredis');
const redis = new Redis({
host: process.env.REDIS_HOST,
port: process.env.REDIS_PORT
});
// General API rate limit
const apiLimiter = rateLimit({
store: new RedisStore({ client: redis, prefix: 'rl:api:' }),
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100, // 100 requests per window
message: { error: 'Too many requests, please try again later', retryAfter: 900 },
standardHeaders: true,
legacyHeaders: false,
keyGenerator: (req) => req.user?.userId || req.ip
});
// Strict rate limit for authentication
const authLimiter = rateLimit({
store: new RedisStore({ client: redis, prefix: 'rl:auth:' }),
windowMs: 15 * 60 * 1000,
max: 5, // Only 5 login attempts per 15 minutes
skipSuccessfulRequests: true,
message: { error: 'Too many login attempts, please try again later', retryAfter: 900 }
});
...安装 API 安全最佳实践 后,可以对 AI 说这些话来触发它
Help me get started with API Security Best Practices
Explains what API Security Best Practices does, walks through the setup, and runs a quick demo based on your current project
Use API Security Best Practices to guide to implement secure API practices including authentication, a...
Invokes API Security Best Practices with the right parameters and returns the result directly in the conversation
What can I do with API Security Best Practices in my finance & investment workflow?
Lists the top use cases for API Security Best Practices, with example commands for each scenario
将技能文件夹放到 ~/.claude/skills/api-security/ 目录(个人级,所有项目可用),或 .claude/skills/api-security/(项目级)。重启 AI 客户端后,用 /api-security 主动调用,或让 AI 根据上下文自动发现并使用。
API 安全最佳实践 支持 Claude、Cursor、OpenClaw,可与这些 AI 平台无缝集成,扩展其能力。
API 安全最佳实践 可免费安装使用。请查阅仓库了解许可证信息。
实施安全 API 实践的指南,包括身份验证、授权、输入验证、速率限制和针对常见 API 漏洞的保护...
API 安全最佳实践 属于「Finance & Investment」分类,该分类的技能帮助 AI 智能体在此领域执行专业任务。
Automate my finance & investment tasks using API Security Best Practices
Identifies repetitive steps in your workflow and sets up API Security Best Practices to handle them automatically