API Agent Development
Creates API agents to wrap external HTTP services, enabling request/response transformations and webhook tracking.
Install this skill
Security score
The API Agent Development skill was audited on Feb 9, 2026 and we found 40 security issues across 2 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Webhook reference - potential data exfiltration
| 3 | description: Create API agents that wrap external HTTP services (n8n, LangGraph, CrewAI, OpenAI endpoints). Configure request/response transforms, webhook status tracking, A2A protocol compliance. CRI |
Webhook reference - potential data exfiltration
| 9 | **CRITICAL**: API agents wrap external HTTP services. They use request/response transforms to adapt between Orchestrator AI's format and the external service's format. Status webhook URLs MUST read fr |
Webhook reference - potential data exfiltration
| 18 | - Setting up webhook status tracking |
Webhook reference - potential data exfiltration
| 31 | endpoint: "http://localhost:5678/webhook/f7387dc8-c6e4-460d-9a0c-685c86d76d1f" |
Webhook reference - potential data exfiltration
| 53 | description: "API agent that calls n8n webhook for marketing campaign swarm processing" |
Webhook reference - potential data exfiltration
| 58 | endpoint: "http://localhost:5678/webhook/marketing-swarm-flexible" |
Webhook reference - potential data exfiltration
| 73 | "statusWebhook": "{{env.API_BASE_URL}}/webhooks/status", |
Webhook reference - potential data exfiltration
| 187 | "statusWebhook": "{{env.API_BASE_URL}}/webhooks/status", |
Webhook reference - potential data exfiltration
| 331 | "yaml": "\n{\n \"metadata\": {\n \"name\": \"marketing-swarm-n8n\",\n \"displayName\": \"Marketing Swarm N8N\",\n \"description\": \"API agent that calls n8n webhook for market |
Webhook reference - potential data exfiltration
| 334 | **Note**: This example has hardcoded `statusWebhook`. The correct format should use `{{env.API_BASE_URL}}`. |
Webhook reference - potential data exfiltration
| 364 | "statusWebhook": "http://localhost:7100/webhooks/status", // From env |
Webhook reference - potential data exfiltration
| 373 | POST http://localhost:5678/webhook/marketing-swarm-flexible |
Webhook reference - potential data exfiltration
| 381 | "statusWebhook": "http://localhost:7100/webhooks/status", |
Webhook reference - potential data exfiltration
| 432 | ## Status Webhook Configuration |
Webhook reference - potential data exfiltration
| 441 | "statusWebhook": "http://host.docker.internal:7100/webhooks/status" |
Webhook reference - potential data exfiltration
| 452 | "statusWebhook": "{{env.API_BASE_URL}}/webhooks/status" |
Webhook reference - potential data exfiltration
| 460 | "statusWebhook": "{{env.API_BASE_URL || env.VITE_API_BASE_URL || 'http://host.docker.internal:7100'}}/webhooks/status" |
Webhook reference - potential data exfiltration
| 482 | "description": "API agent that calls n8n webhook", |
Webhook reference - potential data exfiltration
| 635 | endpoint: "http://localhost:5678/webhook/workflow-name" |
Webhook reference - potential data exfiltration
| 645 | "statusWebhook": "{{env.API_BASE_URL}}/webhooks/status", |
Webhook reference - potential data exfiltration
| 668 | "statusWebhook": "{{env.API_BASE_URL}}/webhooks/status" |
Webhook reference - potential data exfiltration
| 693 | ### ❌ Mistake 1: Hardcoded Status Webhook |
Webhook reference - potential data exfiltration
| 697 | "statusWebhook": "http://host.docker.internal:7100/webhooks/status" |
Webhook reference - potential data exfiltration
| 703 | "statusWebhook": "{{env.API_BASE_URL}}/webhooks/status" |
Webhook reference - potential data exfiltration
| 722 | "statusWebhook": "{{env.API_BASE_URL}}/webhooks/status" |
Webhook reference - potential data exfiltration
| 758 | - [ ] `endpoint` URL is correct (webhook URL for n8n, API URL for others) |
Webhook reference - potential data exfiltration
| 761 | - [ ] `statusWebhook` reads from environment (not hardcoded) |
External URL reference
| 31 | endpoint: "http://localhost:5678/webhook/f7387dc8-c6e4-460d-9a0c-685c86d76d1f" |
External URL reference
| 58 | endpoint: "http://localhost:5678/webhook/marketing-swarm-flexible" |
External URL reference
| 164 | | `{{env.API_BASE_URL}}` | Environment variable | `"http://localhost:7100"` | |
External URL reference
| 331 | "yaml": "\n{\n \"metadata\": {\n \"name\": \"marketing-swarm-n8n\",\n \"displayName\": \"Marketing Swarm N8N\",\n \"description\": \"API agent that calls n8n webhook for market |
External URL reference
| 364 | "statusWebhook": "http://localhost:7100/webhooks/status", // From env |
External URL reference
| 373 | POST http://localhost:5678/webhook/marketing-swarm-flexible |
External URL reference
| 381 | "statusWebhook": "http://localhost:7100/webhooks/status", |
External URL reference
| 441 | "statusWebhook": "http://host.docker.internal:7100/webhooks/status" |
External URL reference
| 460 | "statusWebhook": "{{env.API_BASE_URL || env.VITE_API_BASE_URL || 'http://host.docker.internal:7100'}}/webhooks/status" |
External URL reference
| 635 | endpoint: "http://localhost:5678/webhook/workflow-name" |
External URL reference
| 658 | endpoint: "http://localhost:8000/api/orchestrate" |
External URL reference
| 679 | endpoint: "https://api.example.com/v1/generate" |
External URL reference
| 697 | "statusWebhook": "http://host.docker.internal:7100/webhooks/status" |