common-dast-tooling

Standardize dynamic application security testing for backend APIs, frontend web apps, and mobile clients. Covers ZAP, Nuclei, Nikto, sqlmap, ffuf, browser automation, mobile proxy interception, and AI-driven curl probes. Use when advising on or running dynamic security scans on local/staging environments.

Quality

61%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Passed

No known issues

Optimize this skill with Tessl

npx tessl skill review --optimize ./.github/skills/common/common-dast-tooling/SKILL.md

Quality

Content

22%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This skill reads as a reference catalog of DAST tools and categories rather than an actionable guide Claude can follow. It lacks executable commands, concrete examples, and any sequenced workflow with validation steps. The critical implementation details are deferred to a referenced file that doesn't exist in the bundle, leaving the skill largely non-functional.

Suggestions

Add concrete, executable command examples for at least the primary tools (e.g., full nuclei, zap-cli, sqlmap command lines with flags and placeholder targets) directly in the skill body.

Create a sequenced workflow section (e.g., '1. Run Nuclei templates → 2. Review findings → 3. Confirm with sqlmap → 4. Validate fixes') with explicit validation checkpoints between steps.

Either include the referenced 'references/implementation.md' file in the bundle or inline the essential setup and execution commands so the skill is self-contained.

Remove descriptive text about what tools are (Claude already knows) and replace with specific invocation patterns and expected output interpretation.

Dimension	Reasoning	Score
Conciseness	Generally efficient with bullet-point format and tables, but includes some unnecessary categorization and description that Claude already knows (e.g., explaining what Nikto or Lighthouse does). The scoring impact table adds bulk that may not be actionable for Claude.	2 / 3
Actionability	Almost entirely descriptive rather than instructive — lists tools and what they do but provides no executable commands, code snippets, or concrete examples. The 'See implementation guide' references defer all actionable content to a file that doesn't exist in the bundle, leaving the skill body with no copy-paste-ready guidance.	1 / 3
Workflow Clarity	No sequenced workflow exists — the content is organized as a catalog of tools and categories rather than a step-by-step process. For a multi-tool DAST workflow involving destructive/batch scanning operations, there are no validation checkpoints, no ordering of steps, and no feedback loops for error recovery.	1 / 3
Progressive Disclosure	References to 'references/implementation.md' are clearly signaled and one level deep, which is good structure. However, the bundle has no files, meaning the referenced implementation guide doesn't exist, and the main body lacks enough standalone actionable content to be useful without it.	2 / 3
	Total	6 / 12 Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a strong skill description that clearly defines its scope (DAST), lists specific tools and target types, and includes an explicit 'Use when' clause. The description is concise yet comprehensive, covering both the what and when effectively. The enumeration of specific tools like ZAP, Nuclei, sqlmap, and ffuf provides excellent trigger terms and distinctiveness.

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions and tools: ZAP, Nuclei, Nikto, sqlmap, ffuf, browser automation, mobile proxy interception, and AI-driven curl probes. Also specifies target types: backend APIs, frontend web apps, and mobile clients.	3 / 3
Completeness	Clearly answers both 'what' (standardize DAST for APIs, web apps, mobile clients using specific tools) and 'when' ('Use when advising on or running dynamic security scans on local/staging environments'), with an explicit trigger clause.	3 / 3
Trigger Term Quality	Includes strong natural keywords users would say: 'dynamic application security testing', 'DAST' (implied), 'ZAP', 'Nuclei', 'Nikto', 'sqlmap', 'ffuf', 'security scans', 'staging environments'. These cover both tool-specific and general security scanning terminology.	3 / 3
Distinctiveness Conflict Risk	Highly distinctive with a clear niche: dynamic (not static) application security testing, specific tool names, and scoped to local/staging environments. Unlikely to conflict with static analysis, code review, or general security policy skills.	3 / 3
	Total	12 / 12 Passed

Validation

81%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 9 / 11 Passed

Validation for skill structure

Criteria	Description	Result
metadata_version	'metadata.version' is missing	Warning
metadata_field	'metadata' should map string keys to string values	Warning

	Total	9 / 11 Passed

Repository: HoangNguyen0403/agent-skills-standard
Commit: de793e9

Reviewed: 4 days ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.