api-test
Tests API endpoints for the MCP Finance app, ensuring authentication, data validation, and error handling are functioning correctly.
Install this skill
Security score
The api-test skill was audited on Feb 27, 2026 and we found 39 security issues across 4 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 177 | const response = await fetch(`${BASE_URL}${path}`, options); |
Template literal with variable interpolation in command context
| 180 | console.log(`✓ ${method} ${path}: ${response.status}`); |
Template literal with variable interpolation in command context
| 185 | console.error(`✗ Error testing ${path}:`, error.message); |
Curl to non-GitHub URL
| 25 | curl http://localhost:3000/api/health |
Curl to non-GitHub URL
| 69 | curl -X GET http://localhost:3000/api/transactions \ |
Curl to non-GitHub URL
| 80 | curl -X GET http://localhost:3000/api/transactions \ |
Curl to non-GitHub URL
| 90 | curl -X POST http://localhost:3000/api/transactions \ |
Curl to non-GitHub URL
| 122 | curl -X POST http://localhost:3000/api/transactions \ |
Curl to non-GitHub URL
| 136 | curl -X POST http://localhost:3000/api/transactions \ |
Curl to non-GitHub URL
| 150 | curl -X GET http://localhost:3000/api/stocks |
Curl to non-GitHub URL
| 293 | curl -w "@curl-format.txt" -o /dev/null -s http://localhost:3000/api/stocks |
Curl to non-GitHub URL
| 325 | curl http://localhost:3000/api/health |
Curl to non-GitHub URL
| 328 | curl http://localhost:3000/api/stocks | jq |
Curl to non-GitHub URL
| 331 | curl http://localhost:3000/api/stocks/AAPL | jq |
Curl to non-GitHub URL
| 334 | curl -v http://localhost:3000/api/health |
Curl to non-GitHub URL
| 337 | curl http://localhost:3000/api/stocks > response.json |
Curl to non-GitHub URL
| 340 | curl -H "Authorization: Bearer TOKEN" http://localhost:3000/api/stocks |
Curl to non-GitHub URL
| 343 | curl -X POST http://localhost:3000/api/endpoint \ |
Webhook reference - potential data exfiltration
| 59 | ### Webhook Endpoints |
Webhook reference - potential data exfiltration
| 61 | - `POST /api/webhooks/clerk` - Clerk webhooks |
Webhook reference - potential data exfiltration
| 62 | - `POST /api/webhooks/stripe` - Stripe webhooks |
Access to .env file
| 308 | 1. Ensure Clerk is configured in .env |
External URL reference
| 20 | Wait for the server to start (usually at http://localhost:3000). |
External URL reference
| 25 | curl http://localhost:3000/api/health |
External URL reference
| 69 | curl -X GET http://localhost:3000/api/transactions \ |
External URL reference
| 80 | curl -X GET http://localhost:3000/api/transactions \ |
External URL reference
| 90 | curl -X POST http://localhost:3000/api/transactions \ |
External URL reference
| 122 | curl -X POST http://localhost:3000/api/transactions \ |
External URL reference
| 136 | curl -X POST http://localhost:3000/api/transactions \ |
External URL reference
| 150 | curl -X GET http://localhost:3000/api/stocks |
External URL reference
| 161 | const BASE_URL = "http://localhost:3000"; |
External URL reference
| 293 | curl -w "@curl-format.txt" -o /dev/null -s http://localhost:3000/api/stocks |
External URL reference
| 325 | curl http://localhost:3000/api/health |
External URL reference
| 328 | curl http://localhost:3000/api/stocks | jq |
External URL reference
| 331 | curl http://localhost:3000/api/stocks/AAPL | jq |
External URL reference
| 334 | curl -v http://localhost:3000/api/health |
External URL reference
| 337 | curl http://localhost:3000/api/stocks > response.json |
External URL reference
| 340 | curl -H "Authorization: Bearer TOKEN" http://localhost:3000/api/stocks |
External URL reference
| 343 | curl -X POST http://localhost:3000/api/endpoint \ |