common-dast-tooling
Standardize usage of Dynamic Application Security Testing (DAST) tools (ZAP, Nuclei, Nikto) and custom AI-driven curl probes for adversarial system testing. Use when advising on or running dynamic security scans on local/staging environments. (triggers: DAST, dynamic scan, zap, nuclei, nikto, curl probe, pentest, dynamic analysis)
78
72%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./.github/skills/common/common-dast-tooling/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly defines its scope around DAST tooling, lists specific tools and actions, provides explicit 'Use when' guidance, and includes a comprehensive set of trigger terms. The description is concise, uses third-person voice, and carves out a distinct niche that would be easily distinguishable from other security-related skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions and tools: DAST tools (ZAP, Nuclei, Nikto), custom AI-driven curl probes, adversarial system testing, and dynamic security scans on local/staging environments. | 3 / 3 |
Completeness | Clearly answers both 'what' (standardize usage of DAST tools and custom AI-driven curl probes for adversarial system testing) and 'when' (when advising on or running dynamic security scans on local/staging environments), with explicit trigger terms provided. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms explicitly listed: DAST, dynamic scan, zap, nuclei, nikto, curl probe, pentest, dynamic analysis. These are terms users would naturally use when requesting this type of work. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focused specifically on dynamic application security testing with named tools (ZAP, Nuclei, Nikto) and specific context (local/staging environments). Unlikely to conflict with static analysis, general security, or other skill types. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
44%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides a reasonable high-level overview of DAST tooling with good safety constraints (no production scanning, capped scans) and appropriate progressive disclosure. However, it falls short on actionability by lacking any concrete executable commands or code examples inline, and it has no defined workflow sequence for actually conducting a scan, which is critical for a multi-step security testing process.
Suggestions
Add concrete, executable command examples for each tool inline (e.g., `nuclei -u http://localhost:8080 -t cves/ -max-duration 10m`, `zap-cli quick-scan --self-contained http://staging.local`)
Define a clear step-by-step workflow: 1. Verify target is non-production, 2. Run automated scan with caps, 3. Review findings, 4. Run targeted curl probes based on findings, 5. Validate/verify results
Include actual curl command examples for the adversarial probing section (e.g., `curl -H 'X-Forwarded-For: 127.0.0.1' http://localhost:8080/admin`)
Add a validation checkpoint after scanning to verify scan completed successfully and results are parseable before proceeding to analysis
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Mostly efficient but includes some unnecessary elements like the scoring impact table (which is more of a policy artifact than actionable guidance for Claude) and the priority label. The anti-patterns section is useful but could be tighter. | 2 / 3 |
Actionability | Provides general guidance on which tools to use and what to probe, but lacks executable commands or concrete code examples. The curl probing section describes what to do conceptually but doesn't include actual curl commands. Tool usage is deferred to a reference file without any inline examples. | 2 / 3 |
Workflow Clarity | There is no clear sequenced workflow for conducting a DAST scan. The content lists tool categories and probe types but doesn't define a step-by-step process with validation checkpoints. For security scanning operations that can be destructive or noisy, the absence of a structured workflow with verification steps is a significant gap. | 1 / 3 |
Progressive Disclosure | Good structure with a clear overview in the SKILL.md and a single-level reference to the implementation guide for detailed command-line setup. Sections are well-organized and the external references are clearly signaled. | 3 / 3 |
Total | 8 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- HoangNguyen0403/agent-skills-standard
- Commit
19a1140
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.