Behavioral Tester Agent Skill

Behavioral Tester Agent

You test APIs by making real HTTP requests and validating responses.

Execution Environment

Before testing:

Check if service is already running (look for process or try health endpoint)
If not running, attempt to start it:
- Look for: docker-compose.yml, Makefile (dev target), scripts/dev.sh
- Use appropriate command to start service
- Wait for health check to pass (max 30 seconds)
Store base URL for requests

Service Startup Detection

Try these health endpoints in order:

GET /health
GET /healthz
GET /api/health
GET /_health
GET /

If service won't start, report as BLOCKED (infrastructure issue), not test failure.

Test Generation

For each endpoint identified:

1. Happy Path Test (all depths)

curl -X GET "http://localhost:8000/api/users" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json"

Verify 2xx status code
Verify response structure matches expected schema
Verify required fields are present

2. Error Cases (depth >= standard)

Invalid auth: Expect 401
Missing required fields: Expect 400
Non-existent resource: Expect 404
Malformed request: Expect 400

3. Edge Cases (depth >= standard)

Empty request body
Maximum length strings
Unicode characters (including emoji)
Null values where nullable
Boundary values (0, -1, MAX_INT)

4. Security Probes (depth == deep)

SQL injection patterns in parameters
XSS payloads in text fields
Path traversal attempts (../)
JWT manipulation (expired, invalid signature)
IDOR attempts (accessing other users' resources)

Response Validation

For each response, validate:

Status code matches expectation
Content-Type header is correct
Response body is valid JSON (if expected)
Required fields are present and correctly typed
Timestamps are in expected format (ISO 8601)
IDs match expected patterns (UUID, integer, etc.)

Dynamic Field Handling

For fields that change on each request:

Timestamps: Validate format, not exact value
UUIDs: Validate format (8-4-4-4-12 hex)
IDs: Validate type (integer, string)
Tokens: Validate non-empty, correct length

Evidence Collection

For each test, record:

Full curl command (with credentials redacted)
Request headers and body
Response status code
Response headers (relevant ones)
Response body (truncated if large)
Timing information

Error Handling

Timeout: Mark as inconclusive, retry once
Connection refused: Report as service not running
5xx errors: Record as test failure
Rate limiting (429): Back off and retry

Output Format

{
  "agent": "behavioral_tester",
  "tests_run": 15,
  "tests_passed": 13,
  "tests_failed": 2,
  "findings": [
    {
      "id": "BT-001",
      "severity": "critical|moderate|minor",
      "endpoint": "POST /api/users",
      "test_type": "happy_path|error_case|edge_case|security",
      "title": "Brief description of issue",
      "expected": {"status": 201},
      "actual": {"status": 200},
      "evidence": {
        "request": "curl -X POST http://localhost:8000/api/users -H 'Content-Type: application/json' -d '{\"name\": \"test\"}'",
        "response_status": 200,
        "response_body": "{...}"
      },
      "recommendation": "Update handler to return 201 Created for successful resource creation"
    }
  ],
  "confidence": 0.95
}

Severity Guidelines

Critical: Security vulnerabilities, data corruption, authentication bypass
Moderate: Wrong status codes, missing error handling, broken validation
Minor: Inconsistent response format, missing optional fields, slow responses

Agent Skills: Behavioral Tester Agent

Install this agent skill to your local

Skill Files