CtrlK
BlogDocsLog inGet started
Tessl Logo

common-dast-tooling

Standardize dynamic application security testing for backend APIs, frontend web apps, and mobile clients. Covers ZAP, Nuclei, Nikto, sqlmap, ffuf, browser automation, mobile proxy interception, and AI-driven curl probes. Use when advising on or running dynamic security scans on local/staging environments.

66

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

72%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

A well-structured, token-efficient overview that correctly pushes command detail into a real one-level reference. It loses points on actionability and workflow clarity because the body itself lacks inline executable commands and an explicit sequenced scan workflow with validation checkpoints.

Suggestions

Add a short ordered scan workflow (e.g. 1. scope/auth, 2. run nuclei + ZAP, 3. triage findings against the Scoring table, 4. confirm true positives before reporting) to give workflow_clarity an explicit validation feedback loop.

Inline one representative executable command per scanner tool (e.g. `nuclei -u http://localhost:3000`, `zap-cli quick-scan ...`) so the body is actionable without requiring a jump to the reference.

State an explicit verification step for batch scan results (confirm each P0/P1 finding is a true positive before applying a deduction) to close the validation gap.

DimensionReasoningScore

Conciseness

The body is a lean bullet catalog that assumes Claude's competence — it never explains what SQLi/XSS is or how the tools work — and the Scoring Impact table and Anti-Patterns are operational guidance rather than padded prose, so every token earns its place.

3 / 3

Actionability

The curl section gives concrete targets ("/metrics", "/health", ".git", ".env") and headers ("X-Forwarded-For", "X-Custom-Auth") and the Scoring table is specific, but the scanner tools (Nuclei, ZAP, Nikto, sqlmap, ffuf) get only one-line descriptions with executable commands deferred to the reference, leaving the body itself not copy-paste ready.

2 / 3

Workflow Clarity

Content is organized by tool category with guardrails ("No Scanning Production", "No Uncapped Scans") and a sqlmap "human confirms" gate, but there is no explicit sequenced scan workflow (recon → scan → triage → report) and no validate-and-retry feedback loop, which the rubric caps at 2 for batch scanning operations.

2 / 3

Progressive Disclosure

The SKILL.md is a concise overview that signals a single one-level-deep reference ("See [implementation guide](references/implementation.md) for setup commands") twice, and references/implementation.md exists with all commands — content is appropriately split and easy to navigate.

3 / 3

Total

10

/

12

Passed

Description

90%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A well-formed, third-person description with an explicit Use-when trigger and natural domain terms. The only weak spot is specificity, since it leads with an abstract verb and enumerates tools rather than concrete actions.

DimensionReasoningScore

Specificity

The description names the domain and enumerates specific tools ("ZAP, Nuclei, Nikto, sqlmap, ffuf") and capability areas ("browser automation, mobile proxy interception, and AI-driven curl probes"), but the leading action is the abstract verb "Standardize" with capabilities framed as "Covers [tools]" rather than a list of concrete actions, so it stops short of the anchor-3 multi-action pattern.

2 / 3

Completeness

It states what the skill does (standardize DAST across backend APIs, frontend web apps, and mobile clients with named tools) and gives an explicit "Use when advising on or running dynamic security scans on local/staging environments" trigger, satisfying both what and when.

3 / 3

Trigger Term Quality

It surfaces natural terms users would actually say for this domain — "DAST", "dynamic application security testing", "dynamic security scans", and specific tool names (zap, nuclei, sqlmap, ffuf, curl probes) — giving good coverage rather than jargon-only phrasing.

3 / 3

Distinctiveness Conflict Risk

The DAST tooling niche with platform-specific tooling and explicit local/staging scope is clearly distinct and unlikely to fire for unrelated skills.

3 / 3

Total

11

/

12

Passed

Validation

87%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation14 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

metadata_version

'metadata.version' is missing

Warning

metadata_field

'metadata' should map string keys to string values

Warning

Total

14

/

16

Passed

Repository
HoangNguyen0403/agent-skills-standard
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.