# Intercept and Analyze API Traffic

API teams need controlled visibility into encrypted client traffic. This skill guides mitmproxy setup, capture, replay, and reporting for authorized security testing.

## Install

```bash
npx skillstore add agentsecops/api-mitmproxy
```

## Metadata

- - Slug: agentsecops-api-mitmproxy
- - Version: 0.1.0
- - Author: AgentSecOps
- - GitHub username: AgentSecOps
- - License: MIT
- - Repository: https://github.com/AgentSecOps/SecOpsAgentKit/tree/main/skills/appsec/api-mitmproxy
- - Ref: main
- - Supported tools: Claude, Codex, Claude Code
- - Risk level: high
- - Risk factors: external\_commands, network, filesystem, env\_access, scripts
- - Quality score: 38
- - Quality tier: warning
- - Public page: https://skillstore.pages.dev/skills/agentsecops-api-mitmproxy
- - Manifest: https://skillstore.pages.dev/api/skills/agentsecops-api-mitmproxy/manifest

## Capabilities

- Explains how to start mitmproxy, mitmweb, and mitmdump for API traffic inspection.
- Guides HTTPS certificate installation for desktop, Android, and iOS clients.
- Shows workflows for capturing, replaying, modifying, and exporting API traffic.
- Provides Python addon examples for authentication checks, fuzzing, GraphQL review, and WebSocket inspection.
- Maps API testing tasks to OWASP API Security Top 10 categories.
- Includes CI and rule templates for broader security testing workflows.

## Use Cases

- Review Mobile API Traffic: Configure a test device through mitmproxy, inspect app requests, and document API authentication or authorization issues.
- Debug Client API Behavior: Capture requests from a client, replay flows, and compare headers, bodies, and status codes during integration debugging.
- Automate API Security Checks: Use mitmdump scripts and CI templates to record traffic, test selected controls, and export evidence for reports.

## Prompt Templates

### Set Up Basic Capture

```
Help me configure mitmproxy to capture HTTPS API traffic from a local test application. Include certificate setup and safe storage steps.
```

### Analyze Captured Requests

```
Review my captured API flow summary and identify authentication, authorization, input validation, and sensitive data handling concerns.
```

### Design a Test Addon

```
Design a mitmproxy Python addon plan to test authorization boundaries for this staging API without exposing tokens or personal data.
```

### Build a CI Workflow

```
Create a secure CI workflow plan that runs API tests through mitmdump, stores artifacts safely, and avoids remote shell installers.
```

## Limitations

- Requires mitmproxy and compatible client proxy configuration before traffic can be captured.
- Certificate pinning bypass depends on platform tooling and explicit authorization.
- Examples are templates and need adaptation before use in production pipelines.
- Captured flows can contain credentials, tokens, and personal data that require strict handling.

## Best Practices

- Use the skill only on systems where testing is explicitly authorized.
- Redact or encrypt captured flows because they may include credentials and personal data.
- Bind proxy listeners to localhost unless remote devices require access and firewall controls are in place.

## Anti Patterns

- Do not intercept production or third-party traffic without written authorization.
- Do not commit flow captures, HAR files, proxy certificates, or tokens to version control.
- Do not copy pipe-to-shell CI install commands without pinning and verifying the downloaded artifact.

## Security Audit

- - Safe to publish: false
- - Audited at: 2026-06-28T06:12:16.299\+00:00
- - Summary: The static findings are mostly documentation and template examples, not hidden executable payloads. However, the skill provides high-impact dual-use guidance for HTTPS interception, credential capture, certificate pinning bypass, exposed proxy listeners, request modification, and copied CI command execution patterns. No prompt injection attempt or confirmed malicious marketplace behavior was found, but publication should require stricter safeguards and warnings.

## Stats

- - Views: 226
- - Downloads: 5
- - Favorites: 0
- - Popularity score: 0