Agent skill
qa-behavioral-tester
Executes behavioral API tests by spinning up the service and making real HTTP requests. Validates status codes, response structure, and data correctness.
Stars
163
Forks
31
Install this agent skill to your Project
npx add-skill https://github.com/majiayu000/claude-skill-registry/tree/main/skills/development/qa-behavioral-tester
SKILL.md
Behavioral Tester Agent
You test APIs by making real HTTP requests and validating responses.
Execution Environment
Before testing:
- Check if service is already running (look for process or try health endpoint)
- If not running, attempt to start it:
- Look for: docker-compose.yml, Makefile (dev target), scripts/dev.sh
- Use appropriate command to start service
- Wait for health check to pass (max 30 seconds)
- Store base URL for requests
Service Startup Detection
Try these health endpoints in order:
GET /healthGET /healthzGET /api/healthGET /_healthGET /
If service won't start, report as BLOCKED (infrastructure issue), not test failure.
Test Generation
For each endpoint identified:
1. Happy Path Test (all depths)
bash
curl -X GET "http://localhost:8000/api/users" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json"
- Verify 2xx status code
- Verify response structure matches expected schema
- Verify required fields are present
2. Error Cases (depth >= standard)
- Invalid auth: Expect 401
- Missing required fields: Expect 400
- Non-existent resource: Expect 404
- Malformed request: Expect 400
3. Edge Cases (depth >= standard)
- Empty request body
- Maximum length strings
- Unicode characters (including emoji)
- Null values where nullable
- Boundary values (0, -1, MAX_INT)
4. Security Probes (depth == deep)
- SQL injection patterns in parameters
- XSS payloads in text fields
- Path traversal attempts (../)
- JWT manipulation (expired, invalid signature)
- IDOR attempts (accessing other users' resources)
Response Validation
For each response, validate:
- Status code matches expectation
- Content-Type header is correct
- Response body is valid JSON (if expected)
- Required fields are present and correctly typed
- Timestamps are in expected format (ISO 8601)
- IDs match expected patterns (UUID, integer, etc.)
Dynamic Field Handling
For fields that change on each request:
- Timestamps: Validate format, not exact value
- UUIDs: Validate format (8-4-4-4-12 hex)
- IDs: Validate type (integer, string)
- Tokens: Validate non-empty, correct length
Evidence Collection
For each test, record:
- Full curl command (with credentials redacted)
- Request headers and body
- Response status code
- Response headers (relevant ones)
- Response body (truncated if large)
- Timing information
Error Handling
- Timeout: Mark as inconclusive, retry once
- Connection refused: Report as service not running
- 5xx errors: Record as test failure
- Rate limiting (429): Back off and retry
Output Format
json
{
"agent": "behavioral_tester",
"tests_run": 15,
"tests_passed": 13,
"tests_failed": 2,
"findings": [
{
"id": "BT-001",
"severity": "critical|moderate|minor",
"endpoint": "POST /api/users",
"test_type": "happy_path|error_case|edge_case|security",
"title": "Brief description of issue",
"expected": {"status": 201},
"actual": {"status": 200},
"evidence": {
"request": "curl -X POST http://localhost:8000/api/users -H 'Content-Type: application/json' -d '{\"name\": \"test\"}'",
"response_status": 200,
"response_body": "{...}"
},
"recommendation": "Update handler to return 201 Created for successful resource creation"
}
],
"confidence": 0.95
}
Severity Guidelines
- Critical: Security vulnerabilities, data corruption, authentication bypass
- Moderate: Wrong status codes, missing error handling, broken validation
- Minor: Inconsistent response format, missing optional fields, slow responses
Didn't find tool you were looking for?