api-security-best-practices
Implement secure API design patterns including authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities
42
28%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./.agent/skills/api-security-best-practices/SKILL.mdQuality
Discovery
42%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description effectively lists specific security capabilities for API design, demonstrating good technical specificity. However, it critically lacks any 'Use when...' guidance, making it difficult for Claude to know when to select this skill over others. The trigger terms are adequate but could benefit from more natural user language variations.
Suggestions
Add a 'Use when...' clause with explicit triggers like 'Use when designing secure APIs, implementing authentication flows, adding rate limiting, or protecting against OWASP API vulnerabilities'
Include common user terms and variations such as 'OAuth', 'JWT tokens', 'API keys', 'API security', 'secure REST endpoints', 'API protection'
Clarify the boundary with related skills by specifying this is for API-specific security rather than general application security or authentication systems
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities. These are distinct, actionable security patterns. | 3 / 3 |
Completeness | Describes what the skill does (implement secure API patterns) but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. | 1 / 3 |
Trigger Term Quality | Contains relevant technical terms like 'API', 'authentication', 'authorization', 'rate limiting' that users might say, but missing common variations like 'OAuth', 'JWT', 'API keys', 'security', 'secure endpoints', or 'API protection'. | 2 / 3 |
Distinctiveness Conflict Risk | The focus on 'secure API design patterns' provides some specificity, but could overlap with general security skills, authentication skills, or API development skills without clearer boundaries. | 2 / 3 |
Total | 8 / 12 Passed |
Implementation
14%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill body is essentially a table of contents with no substantive content in the main file. It over-fragments into 30 sub-skills without providing any quick-start guidance, executable examples, or clear workflow in the parent document. The organization mixes steps, examples, problems, and topics without logical grouping.
Suggestions
Add a 'Quick Start' section with at least one executable code example for a common security pattern (e.g., JWT authentication middleware)
Consolidate the 30 sub-skills into 5-7 logical groupings (e.g., combine 'The Problem', 'The Solution', 'Validation Checklist' into a single input validation document)
Include a clear numbered workflow with validation checkpoints in the main skill file (e.g., '1. Implement auth → 2. Add input validation → 3. Test with security checklist')
Add a brief security checklist or decision tree directly in the main file so users get immediate value without navigating to sub-skills
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The overview and 'When to Use' sections contain some unnecessary explanation that Claude would already understand. However, the main content is just a list of links, which is efficient but perhaps too sparse to be useful on its own. | 2 / 3 |
Actionability | The skill body contains no concrete code, commands, or executable guidance - it's entirely a list of links to sub-skills with no actionable content in the main file itself. | 1 / 3 |
Workflow Clarity | While there are numbered 'steps' (1-5), the remaining 25 items are a disorganized mix of examples, problems, and topics with no clear sequence or validation checkpoints. The workflow is unclear and fragmented. | 1 / 3 |
Progressive Disclosure | The skill has 30 sub-skill references which is excessive fragmentation. Many items like 'The Problem', 'The Solution', 'Implementation' are too granular and should be consolidated. Navigation is confusing with no clear hierarchy. | 1 / 3 |
Total | 5 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- Dokhacgiakhoa/antigravity-ide
- Commit
332e58b
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.