Does it support introspection testing?

Yes, it specifically checks if introspection is enabled in production environments, which is a common security misconfiguration that leaks the entire API schema.

What GraphQL frameworks are supported?

The skill is framework-agnostic, detecting patterns common in Apollo Server, GraphQL Yoga, and other popular implementations by scanning schema and configuration files.

Can it fix the security issues it finds?

Yes, it provides concrete fix recommendations, including code diffs for middleware configuration and suggested authorization logic for resolvers.

What is the difference between standard and deep analysis?

Standard depth checks configuration and basic schema settings, while deep analysis traces the full resolver chain to data sources to map authorization coverage across all fields.

How does this skill detect GraphQL vulnerabilities?

It uses a combination of static code analysis, configuration checks, and automated scanners like Semgrep to identify misconfigurations and missing security controls in your schema and resolvers.

GraphQL Security Auditor

Name: GraphQL Security Auditor
Author: florianbuetow

byflorianbuetow

•

セキュリティとテスト

Analyzes GraphQL endpoints and schemas for critical security vulnerabilities like introspection leaks, depth abuse, and missing authorization.

This skill empowers Claude to perform deep security audits of GraphQL APIs by scanning schema definitions and resolver implementations for common attack vectors. It identifies high-risk configurations such as enabled introspection in production, lack of query depth or complexity limits, and batching abuse, while also tracing field-level authorization to ensure sensitive data is protected. By integrating with scanners like Semgrep and GraphQL Cop, it provides actionable remediation steps and code diffs to harden your API against Denial of Service and unauthorized data exposure.

主な機能

01Query depth and complexity limit verification

02Automated introspection and schema disclosure detection

036 GitHub stars

04Batching and alias-based Denial of Service (DoS) analysis

05Per-field authorization and resolver permission tracing

06Integration with security scanners like Semgrep and GraphQL Cop

ユースケース

01Hardening production GraphQL APIs against common OWASP vulnerabilities

02Identifying missing field-level access controls in complex resolver chains

03Preventing Denial of Service attacks by enforcing query resource limits

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add florianbuetow/claude-code graphql

For use in Claude.ai and ChatGPT

Download Skill