This is a focused playbook for poking at GraphQL APIs and finding parameters that shouldn't be there. It walks through introspection queries, batching abuse, and hunting for admin-only fields that leak into public schemas. The real value is in the systematic approach: start with schema discovery, probe for IDOR and authz gaps in nested objects, then pivot to hidden parameter testing in REST endpoints using the same mindset. If you're testing APIs and keep wondering what fields the mobile app is sending that you can't see in the UI, this gives you the checklist. Pairs well with the API authorization and recon skills when you find something that smells wrong.
npx skills add https://github.com/yaklang/hack-skills --skill graphql-and-hidden-parameters