api-security-best-practices
Implement secure API design patterns including authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities
40
Quality
28%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./.agent/skills/api-security-best-practices/SKILL.mdQuality
Discovery
42%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description effectively lists specific security capabilities for API design, demonstrating good technical specificity. However, it critically lacks any 'Use when...' guidance, making it difficult for Claude to know when to select this skill over others. The trigger terms are adequate but could benefit from more natural user language variations.
Suggestions
Add a 'Use when...' clause with explicit triggers like 'Use when designing secure APIs, implementing authentication flows, adding rate limiting, or protecting against OWASP API vulnerabilities'
Include common user terms and variations such as 'OAuth', 'JWT tokens', 'API keys', 'API security', 'secure REST endpoints', 'API protection'
Clarify the boundary with related skills by specifying this is for API-specific security rather than general application security or authentication systems
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities. These are distinct, actionable security patterns. | 3 / 3 |
Completeness | Describes what the skill does (implement secure API patterns) but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. | 1 / 3 |
Trigger Term Quality | Contains relevant technical terms like 'API', 'authentication', 'authorization', 'rate limiting' that users might say, but missing common variations like 'OAuth', 'JWT', 'API keys', 'security', 'secure endpoints', or 'API protection'. | 2 / 3 |
Distinctiveness Conflict Risk | The focus on 'secure API design patterns' provides some specificity, but could overlap with general security skills, authentication skills, or API development skills without clearer boundaries. | 2 / 3 |
Total | 8 / 12 Passed |
Implementation
14%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is essentially an empty shell that delegates everything to 30 poorly-organized sub-files. It provides no actionable content, no executable examples, and no clear workflow in the main skill body. The excessive fragmentation (30 sub-skills for what could be 5-6 well-organized sections) makes navigation difficult and violates progressive disclosure principles.
Suggestions
Add concrete, executable code examples directly in the main skill for the most common use cases (e.g., JWT authentication setup, basic input validation)
Consolidate the 30 sub-skills into 4-6 logical groupings (Authentication, Input Validation, Rate Limiting, Data Protection, Testing) with brief inline summaries
Define a clear workflow sequence with validation checkpoints for implementing API security (e.g., '1. Set up auth -> 2. Validate inputs -> 3. Add rate limiting -> 4. Test')
Remove the verbose 'When to Use' section and replace with a quick-start example that demonstrates the most critical security pattern
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The overview and 'When to Use' sections contain some unnecessary explanation that Claude would already understand. However, the main content is a list of references which is reasonably efficient, though the sheer number (30 sub-skills) suggests poor organization rather than conciseness. | 2 / 3 |
Actionability | The skill body contains zero executable code, commands, or concrete guidance. It is entirely a list of links to other files with no actionable content in the main skill itself - it describes rather than instructs. | 1 / 3 |
Workflow Clarity | Despite having numbered 'steps' in the sub-skill names, there is no actual workflow defined. The 30 links are a disorganized mix of steps, examples, problems, and concepts with no clear sequence, validation checkpoints, or process guidance. | 1 / 3 |
Progressive Disclosure | While the skill attempts progressive disclosure by linking to sub-skills, it fails badly: 30 separate files is excessive fragmentation, the organization is chaotic (mixing steps, examples, problems, concepts), and there's no meaningful overview content - just a wall of links with no context about what each contains. | 1 / 3 |
Total | 5 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- Dokhacgiakhoa/antigravity-ide
- Commit
3395991
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.