naftiko: 1.0.0-alpha2 info: label: ZAP API — script description: 'ZAP API — script. 24 operations. Lead operation: script. Self-contained Naftiko capability covering one Owasp Zap business surface.' tags: - Owasp Zap - script created: '2026-05-19' modified: '2026-05-19' binds: - namespace: env keys: OWASP_ZAP_API_KEY: OWASP_ZAP_API_KEY capability: consumes: - type: http namespace: owasp-zap-script baseUri: http://zap description: ZAP API — script business capability. Self-contained, no shared references. resources: - name: JSON-script-action-clearGlobalCustomVar path: /JSON/script/action/clearGlobalCustomVar/ operations: - name: scriptactionclearglobalcustomvar method: GET description: Clears a global custom variable. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: JSON-script-action-clearGlobalVar path: /JSON/script/action/clearGlobalVar/ operations: - name: scriptactionclearglobalvar method: GET description: Clears the global variable with the given key. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: JSON-script-action-clearGlobalVars path: /JSON/script/action/clearGlobalVars/ operations: - name: scriptactionclearglobalvars method: GET description: Clears the global variables. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: JSON-script-action-clearScriptCustomVar path: /JSON/script/action/clearScriptCustomVar/ operations: - name: scriptactionclearscriptcustomvar method: GET description: Clears a script custom variable. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: JSON-script-action-clearScriptVar path: /JSON/script/action/clearScriptVar/ operations: - name: scriptactionclearscriptvar method: GET description: Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: JSON-script-action-clearScriptVars path: /JSON/script/action/clearScriptVars/ operations: - name: scriptactionclearscriptvars method: GET description: Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: JSON-script-action-disable path: /JSON/script/action/disable/ operations: - name: scriptactiondisable method: GET description: Disables the script with the given name outputRawFormat: json outputParameters: - name: result type: object value: $. - name: JSON-script-action-enable path: /JSON/script/action/enable/ operations: - name: scriptactionenable method: GET description: Enables the script with the given name outputRawFormat: json outputParameters: - name: result type: object value: $. - name: JSON-script-action-load path: /JSON/script/action/load/ operations: - name: scriptactionload method: GET description: Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8 outputRawFormat: json outputParameters: - name: result type: object value: $. - name: JSON-script-action-remove path: /JSON/script/action/remove/ operations: - name: scriptactionremove method: GET description: Removes the script with the given name outputRawFormat: json outputParameters: - name: result type: object value: $. - name: JSON-script-action-runStandAloneScript path: /JSON/script/action/runStandAloneScript/ operations: - name: scriptactionrunstandalonescript method: GET description: Runs the stand alone script with the given name outputRawFormat: json outputParameters: - name: result type: object value: $. - name: JSON-script-action-setGlobalVar path: /JSON/script/action/setGlobalVar/ operations: - name: scriptactionsetglobalvar method: GET description: Sets the value of the global variable with the given key. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: JSON-script-action-setScriptVar path: /JSON/script/action/setScriptVar/ operations: - name: scriptactionsetscriptvar method: GET description: Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: JSON-script-view-globalCustomVar path: /JSON/script/view/globalCustomVar/ operations: - name: scriptviewglobalcustomvar method: GET description: Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: JSON-script-view-globalCustomVars path: /JSON/script/view/globalCustomVars/ operations: - name: scriptviewglobalcustomvars method: GET description: Gets all the global custom variables (key/value pairs, the value is the string representation). outputRawFormat: json outputParameters: - name: result type: object value: $. - name: JSON-script-view-globalVar path: /JSON/script/view/globalVar/ operations: - name: scriptviewglobalvar method: GET description: Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: JSON-script-view-globalVars path: /JSON/script/view/globalVars/ operations: - name: scriptviewglobalvars method: GET description: Gets all the global variables (key/value pairs). outputRawFormat: json outputParameters: - name: result type: object value: $. - name: JSON-script-view-listEngines path: /JSON/script/view/listEngines/ operations: - name: scriptviewlistengines method: GET description: Lists the script engines available outputRawFormat: json outputParameters: - name: result type: object value: $. - name: JSON-script-view-listScripts path: /JSON/script/view/listScripts/ operations: - name: scriptviewlistscripts method: GET description: Lists the scripts available, with its engine, name, description, type and error state. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: JSON-script-view-listTypes path: /JSON/script/view/listTypes/ operations: - name: scriptviewlisttypes method: GET description: Lists the script types available. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: JSON-script-view-scriptCustomVar path: /JSON/script/view/scriptCustomVar/ operations: - name: scriptviewscriptcustomvar method: GET description: Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: JSON-script-view-scriptCustomVars path: /JSON/script/view/scriptCustomVars/ operations: - name: scriptviewscriptcustomvars method: GET description: Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: JSON-script-view-scriptVar path: /JSON/script/view/scriptVar/ operations: - name: scriptviewscriptvar method: GET description: Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: JSON-script-view-scriptVars path: /JSON/script/view/scriptVars/ operations: - name: scriptviewscriptvars method: GET description: Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. outputRawFormat: json outputParameters: - name: result type: object value: $. authentication: type: apikey key: X-ZAP-API-Key value: '{{env.OWASP_ZAP_API_KEY}}' placement: header exposes: - type: rest namespace: owasp-zap-script-rest port: 8080 description: REST adapter for ZAP API — script. One Spectral-compliant resource per consumed operation, prefixed with /v1. resources: - path: /v1/json/script/action/clearglobalcustomvar name: json-script-action-clearglobalcustomvar description: REST surface for JSON-script-action-clearGlobalCustomVar. operations: - method: GET name: scriptactionclearglobalcustomvar description: Clears a global custom variable. call: owasp-zap-script.scriptactionclearglobalcustomvar outputParameters: - type: object mapping: $. - path: /v1/json/script/action/clearglobalvar name: json-script-action-clearglobalvar description: REST surface for JSON-script-action-clearGlobalVar. operations: - method: GET name: scriptactionclearglobalvar description: Clears the global variable with the given key. call: owasp-zap-script.scriptactionclearglobalvar outputParameters: - type: object mapping: $. - path: /v1/json/script/action/clearglobalvars name: json-script-action-clearglobalvars description: REST surface for JSON-script-action-clearGlobalVars. operations: - method: GET name: scriptactionclearglobalvars description: Clears the global variables. call: owasp-zap-script.scriptactionclearglobalvars outputParameters: - type: object mapping: $. - path: /v1/json/script/action/clearscriptcustomvar name: json-script-action-clearscriptcustomvar description: REST surface for JSON-script-action-clearScriptCustomVar. operations: - method: GET name: scriptactionclearscriptcustomvar description: Clears a script custom variable. call: owasp-zap-script.scriptactionclearscriptcustomvar outputParameters: - type: object mapping: $. - path: /v1/json/script/action/clearscriptvar name: json-script-action-clearscriptvar description: REST surface for JSON-script-action-clearScriptVar. operations: - method: GET name: scriptactionclearscriptvar description: Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. call: owasp-zap-script.scriptactionclearscriptvar outputParameters: - type: object mapping: $. - path: /v1/json/script/action/clearscriptvars name: json-script-action-clearscriptvars description: REST surface for JSON-script-action-clearScriptVars. operations: - method: GET name: scriptactionclearscriptvars description: Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. call: owasp-zap-script.scriptactionclearscriptvars outputParameters: - type: object mapping: $. - path: /v1/json/script/action/disable name: json-script-action-disable description: REST surface for JSON-script-action-disable. operations: - method: GET name: scriptactiondisable description: Disables the script with the given name call: owasp-zap-script.scriptactiondisable outputParameters: - type: object mapping: $. - path: /v1/json/script/action/enable name: json-script-action-enable description: REST surface for JSON-script-action-enable. operations: - method: GET name: scriptactionenable description: Enables the script with the given name call: owasp-zap-script.scriptactionenable outputParameters: - type: object mapping: $. - path: /v1/json/script/action/load name: json-script-action-load description: REST surface for JSON-script-action-load. operations: - method: GET name: scriptactionload description: Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8 call: owasp-zap-script.scriptactionload outputParameters: - type: object mapping: $. - path: /v1/json/script/action/remove name: json-script-action-remove description: REST surface for JSON-script-action-remove. operations: - method: GET name: scriptactionremove description: Removes the script with the given name call: owasp-zap-script.scriptactionremove outputParameters: - type: object mapping: $. - path: /v1/json/script/action/runstandalonescript name: json-script-action-runstandalonescript description: REST surface for JSON-script-action-runStandAloneScript. operations: - method: GET name: scriptactionrunstandalonescript description: Runs the stand alone script with the given name call: owasp-zap-script.scriptactionrunstandalonescript outputParameters: - type: object mapping: $. - path: /v1/json/script/action/setglobalvar name: json-script-action-setglobalvar description: REST surface for JSON-script-action-setGlobalVar. operations: - method: GET name: scriptactionsetglobalvar description: Sets the value of the global variable with the given key. call: owasp-zap-script.scriptactionsetglobalvar outputParameters: - type: object mapping: $. - path: /v1/json/script/action/setscriptvar name: json-script-action-setscriptvar description: REST surface for JSON-script-action-setScriptVar. operations: - method: GET name: scriptactionsetscriptvar description: Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. call: owasp-zap-script.scriptactionsetscriptvar outputParameters: - type: object mapping: $. - path: /v1/json/script/view/globalcustomvar name: json-script-view-globalcustomvar description: REST surface for JSON-script-view-globalCustomVar. operations: - method: GET name: scriptviewglobalcustomvar description: Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. call: owasp-zap-script.scriptviewglobalcustomvar outputParameters: - type: object mapping: $. - path: /v1/json/script/view/globalcustomvars name: json-script-view-globalcustomvars description: REST surface for JSON-script-view-globalCustomVars. operations: - method: GET name: scriptviewglobalcustomvars description: Gets all the global custom variables (key/value pairs, the value is the string representation). call: owasp-zap-script.scriptviewglobalcustomvars outputParameters: - type: object mapping: $. - path: /v1/json/script/view/globalvar name: json-script-view-globalvar description: REST surface for JSON-script-view-globalVar. operations: - method: GET name: scriptviewglobalvar description: Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. call: owasp-zap-script.scriptviewglobalvar outputParameters: - type: object mapping: $. - path: /v1/json/script/view/globalvars name: json-script-view-globalvars description: REST surface for JSON-script-view-globalVars. operations: - method: GET name: scriptviewglobalvars description: Gets all the global variables (key/value pairs). call: owasp-zap-script.scriptviewglobalvars outputParameters: - type: object mapping: $. - path: /v1/json/script/view/listengines name: json-script-view-listengines description: REST surface for JSON-script-view-listEngines. operations: - method: GET name: scriptviewlistengines description: Lists the script engines available call: owasp-zap-script.scriptviewlistengines outputParameters: - type: object mapping: $. - path: /v1/json/script/view/listscripts name: json-script-view-listscripts description: REST surface for JSON-script-view-listScripts. operations: - method: GET name: scriptviewlistscripts description: Lists the scripts available, with its engine, name, description, type and error state. call: owasp-zap-script.scriptviewlistscripts outputParameters: - type: object mapping: $. - path: /v1/json/script/view/listtypes name: json-script-view-listtypes description: REST surface for JSON-script-view-listTypes. operations: - method: GET name: scriptviewlisttypes description: Lists the script types available. call: owasp-zap-script.scriptviewlisttypes outputParameters: - type: object mapping: $. - path: /v1/json/script/view/scriptcustomvar name: json-script-view-scriptcustomvar description: REST surface for JSON-script-view-scriptCustomVar. operations: - method: GET name: scriptviewscriptcustomvar description: Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. call: owasp-zap-script.scriptviewscriptcustomvar outputParameters: - type: object mapping: $. - path: /v1/json/script/view/scriptcustomvars name: json-script-view-scriptcustomvars description: REST surface for JSON-script-view-scriptCustomVars. operations: - method: GET name: scriptviewscriptcustomvars description: Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. call: owasp-zap-script.scriptviewscriptcustomvars outputParameters: - type: object mapping: $. - path: /v1/json/script/view/scriptvar name: json-script-view-scriptvar description: REST surface for JSON-script-view-scriptVar. operations: - method: GET name: scriptviewscriptvar description: Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. call: owasp-zap-script.scriptviewscriptvar outputParameters: - type: object mapping: $. - path: /v1/json/script/view/scriptvars name: json-script-view-scriptvars description: REST surface for JSON-script-view-scriptVars. operations: - method: GET name: scriptviewscriptvars description: Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. call: owasp-zap-script.scriptviewscriptvars outputParameters: - type: object mapping: $. - type: mcp namespace: owasp-zap-script-mcp port: 9090 transport: http description: MCP adapter for ZAP API — script. One tool per consumed operation, routed inline through this capability's consumes block. tools: - name: clears-global-custom-variable description: Clears a global custom variable. hints: readOnly: true destructive: false idempotent: true call: owasp-zap-script.scriptactionclearglobalcustomvar outputParameters: - type: object mapping: $. - name: clears-global-variable-given-key description: Clears the global variable with the given key. hints: readOnly: true destructive: false idempotent: true call: owasp-zap-script.scriptactionclearglobalvar outputParameters: - type: object mapping: $. - name: clears-global-variables description: Clears the global variables. hints: readOnly: true destructive: false idempotent: true call: owasp-zap-script.scriptactionclearglobalvars outputParameters: - type: object mapping: $. - name: clears-script-custom-variable description: Clears a script custom variable. hints: readOnly: true destructive: false idempotent: true call: owasp-zap-script.scriptactionclearscriptcustomvar outputParameters: - type: object mapping: $. - name: clears-variable-given-key-given description: Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. hints: readOnly: true destructive: false idempotent: true call: owasp-zap-script.scriptactionclearscriptvar outputParameters: - type: object mapping: $. - name: clears-variables-given-script-returns description: Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. hints: readOnly: true destructive: false idempotent: true call: owasp-zap-script.scriptactionclearscriptvars outputParameters: - type: object mapping: $. - name: disables-script-given-name description: Disables the script with the given name hints: readOnly: true destructive: false idempotent: true call: owasp-zap-script.scriptactiondisable outputParameters: - type: object mapping: $. - name: enables-script-given-name description: Enables the script with the given name hints: readOnly: true destructive: false idempotent: true call: owasp-zap-script.scriptactionenable outputParameters: - type: object mapping: $. - name: loads-script-zap-given-local description: Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8 hints: readOnly: true destructive: false idempotent: true call: owasp-zap-script.scriptactionload outputParameters: - type: object mapping: $. - name: removes-script-given-name description: Removes the script with the given name hints: readOnly: true destructive: false idempotent: true call: owasp-zap-script.scriptactionremove outputParameters: - type: object mapping: $. - name: runs-stand-alone-script-given description: Runs the stand alone script with the given name hints: readOnly: true destructive: false idempotent: true call: owasp-zap-script.scriptactionrunstandalonescript outputParameters: - type: object mapping: $. - name: sets-value-global-variable-given description: Sets the value of the global variable with the given key. hints: readOnly: true destructive: false idempotent: true call: owasp-zap-script.scriptactionsetglobalvar outputParameters: - type: object mapping: $. - name: sets-value-variable-given-key description: Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. hints: readOnly: true destructive: false idempotent: true call: owasp-zap-script.scriptactionsetscriptvar outputParameters: - type: object mapping: $. - name: gets-value-string-representation-global description: Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. hints: readOnly: true destructive: false idempotent: true call: owasp-zap-script.scriptviewglobalcustomvar outputParameters: - type: object mapping: $. - name: gets-all-global-custom-variables description: Gets all the global custom variables (key/value pairs, the value is the string representation). hints: readOnly: true destructive: false idempotent: true call: owasp-zap-script.scriptviewglobalcustomvars outputParameters: - type: object mapping: $. - name: gets-value-global-variable-given description: Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. hints: readOnly: true destructive: false idempotent: true call: owasp-zap-script.scriptviewglobalvar outputParameters: - type: object mapping: $. - name: gets-all-global-variables-key description: Gets all the global variables (key/value pairs). hints: readOnly: true destructive: false idempotent: true call: owasp-zap-script.scriptviewglobalvars outputParameters: - type: object mapping: $. - name: lists-script-engines-available description: Lists the script engines available hints: readOnly: true destructive: false idempotent: true call: owasp-zap-script.scriptviewlistengines outputParameters: - type: object mapping: $. - name: lists-scripts-available-its-engine description: Lists the scripts available, with its engine, name, description, type and error state. hints: readOnly: true destructive: false idempotent: true call: owasp-zap-script.scriptviewlistscripts outputParameters: - type: object mapping: $. - name: lists-script-types-available description: Lists the script types available. hints: readOnly: true destructive: false idempotent: true call: owasp-zap-script.scriptviewlisttypes outputParameters: - type: object mapping: $. - name: gets-value-string-representation-custom description: Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. hints: readOnly: true destructive: false idempotent: true call: owasp-zap-script.scriptviewscriptcustomvar outputParameters: - type: object mapping: $. - name: gets-all-custom-variables-key description: Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. hints: readOnly: true destructive: false idempotent: true call: owasp-zap-script.scriptviewscriptcustomvars outputParameters: - type: object mapping: $. - name: gets-value-variable-given-key description: Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. hints: readOnly: true destructive: false idempotent: true call: owasp-zap-script.scriptviewscriptvar outputParameters: - type: object mapping: $. - name: gets-all-variables-key-value description: Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. hints: readOnly: true destructive: false idempotent: true call: owasp-zap-script.scriptviewscriptvars outputParameters: - type: object mapping: $.