graphql-securitylisted
Install: claude install-skill hlsitechio/claude-skills-security
# GraphQL Security Audit
Audit GraphQL APIs for vulnerabilities specific to the query language and protocol: complexity attacks, introspection leaks, field-level auth bypass, mutation gaps.
## When this skill applies
- Reviewing GraphQL schemas and resolvers
- Auditing depth / complexity / cost limits
- Reviewing field-level authorization
- Checking introspection exposure in production
- Auditing persisted queries setup
- Reviewing GraphQL subscriptions and WebSocket auth
Use other skills for: REST API patterns (`saas-security-pack/saas-api-security`), backend framework auth wiring (`nodejs-express-security`, `nestjs-security`, `fastapi-security`), IDOR patterns generally (`saas-security-pack/saas-code-security-review`).
## Workflow
Follow `../_shared/audit-workflow.md`. GraphQL-specific notes below.
### Phase 1: Stack detection
```bash
# Find the GraphQL server library
grep -E '"(apollo-server|@apollo/server|graphql-yoga|mercurius|express-graphql|@nestjs/graphql|graphql-tools)":' package.json
# Schema files
find . \( -name '*.graphql' -o -name '*.gql' -o -name 'schema.ts' \) -not -path '*/node_modules/*' | head -10
# Resolver locations
grep -rln 'Query:\|Mutation:\|Subscription:\|resolvers\s*=' src/ | head -10
```
### Phase 2: Inventory
```bash
# Endpoint configuration
grep -rnE 'graphqlPath|graphqlMiddleware|playground|introspection' src/
# Auth context setup
grep -rn 'context:\s*\(' src/ | head
# Subscriptions (often a separate auth flow)
grep -rn 'Subscripti