# Validate API Specs with Spectral

API specifications can miss security requirements before implementation starts. This skill guides Claude, Codex, and Claude Code through Spectral linting, OWASP API checks, and governance workflows.

## Install

```bash
npx skillstore add agentsecops/api-spectral
```

## Metadata

- - Status: approved
- - Slug: agentsecops-api-spectral
- - Version: 0.1.0
- - Author: AgentSecOps
- - GitHub username: AgentSecOps
- - License: MIT
- - Repository: https://github.com/AgentSecOps/SecOpsAgentKit/tree/main/skills/appsec/api-spectral
- - Ref: main
- - Supported tools: Claude, Codex, Claude Code
- - Risk level: medium
- - Risk factors: external\_commands, network, filesystem, env\_access, scripts
- - Quality score: 79
- - Quality tier: bronze
- - Public page: https://skillstore.pages.dev/skills/agentsecops-api-spectral
- - Manifest: https://skillstore.pages.dev/api/skills/agentsecops-api-spectral/manifest

## Capabilities

- Guides Spectral setup for OpenAPI, AsyncAPI, and Arazzo specifications.
- Provides OWASP API Security Top 10 rule mappings for API design review.
- Includes reusable Spectral rules for authentication, HTTPS, PII, and schema controls.
- Shows CI templates for GitHub Actions and broader security scanning workflows.
- Explains custom rule authoring, testing, and false positive review practices.

## Use Cases

- Review API Designs Before Build: Check OpenAPI or AsyncAPI files for missing authentication, insecure servers, sensitive query parameters, and OWASP API gaps.
- Standardize API Governance: Create shared Spectral rulesets that enforce organization standards across many API repositories.
- Add API Checks to CI: Use the workflow templates to report Spectral findings during pull requests and release pipelines.

## Prompt Templates

### Lint One API Spec

```
Use the api-spectral skill to help me lint my OpenAPI file with Spectral. Explain the setup, command, and how to read the findings.
```

### Map Findings to OWASP API

```
Use the api-spectral skill to map these Spectral findings to OWASP API Security Top 10 categories and suggest practical remediation steps.
```

### Create Custom Ruleset

```
Use the api-spectral skill to draft a Spectral ruleset for our API standards. Include authentication, HTTPS, pagination, and sensitive data checks.
```

### Design CI Enforcement Plan

```
Use the api-spectral skill to design a phased CI rollout for API specification linting across many repositories. Include thresholds, exceptions, reports, and developer feedback.
```

## Limitations

- It is guidance and templates, not a bundled executable scanner.
- Referenced helper scripts are documented but not present in this package.
- Spectral results need human review before security sign-off.
- CI templates must be adapted and hardened before production use.

## Best Practices

- Start with built-in Spectral rules, then add custom security rules gradually.
- Review findings manually before treating them as confirmed vulnerabilities.
- Pin CI dependencies and verify downloaded tools before running them.

## Anti Patterns

- Do not copy CI templates into production without reviewing remote downloads.
- Do not include real secrets, tokens, or private URLs in API examples.
- Do not fail builds on new rules before teams have reviewed expected false positives.

## Security Audit

- - Safe to publish: true
- - Audited at: 2026-06-28T06:15:38.265\+00:00
- - Summary: Static analysis reported many command, network, filesystem, environment, script, and weak-crypto patterns. Manual review found these are mostly documentation examples, Spectral rules, and CI templates for security scanning, not hidden runtime behavior. One CI template includes a remote script piped to bash, so publication is acceptable only with a clear warning.

## Stats

- - Views: 463
- - Downloads: 4
- - Favorites: 0
- - Popularity score: 0
