api-fuzzing-bug-bounty
Provide comprehensive techniques for testing REST, SOAP, and GraphQL APIs during bug bounty hunting and penetration testing engagements. Covers vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors.
63
55%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Critical
Do not install without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/antigravity-api-fuzzing-bug-bounty/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong description with excellent specificity and trigger term coverage for its security testing niche. It clearly names the API types, attack vectors, and engagement contexts. The main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about API security testing, API hacking, finding API vulnerabilities, or testing endpoints during bug bounty or pentest engagements.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: testing REST/SOAP/GraphQL APIs, vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors. These are concrete, actionable capabilities. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with specific techniques and API types, but lacks an explicit 'Use when...' clause or equivalent trigger guidance. The when is only implied through context (bug bounty, penetration testing). | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'REST', 'SOAP', 'GraphQL', 'API', 'bug bounty', 'penetration testing', 'authentication bypass', 'IDOR'. These are terms security professionals naturally use when seeking this type of guidance. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: API security testing in bug bounty/pentest contexts. The combination of specific API types (REST, SOAP, GraphQL) with specific attack vectors (IDOR, auth bypass) makes it unlikely to conflict with general API development or other security skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
27%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads more like a comprehensive cheat sheet or reference guide than a focused, actionable skill for Claude. While it contains genuinely useful payloads and techniques, it suffers from being monolithic (~350+ lines), explaining concepts Claude already knows, and lacking validation checkpoints in its workflow. The content would be significantly improved by splitting into focused sub-files and trimming explanatory text.
Suggestions
Split the monolithic content into separate files: GRAPHQL.md, INJECTION_PAYLOADS.md, TOOLS.md, and BYPASS_TECHNIQUES.md, with SKILL.md serving as a concise overview linking to each.
Remove explanatory text Claude already knows (API Types Overview table, 'Insecure Direct Object Reference is the most common API vulnerability', Purpose/Inputs/Outputs sections) to reduce token usage by ~30%.
Add explicit validation checkpoints to the workflow, such as 'Confirm vulnerability by comparing authenticated vs unauthenticated responses' and 'Verify IDOR by checking if returned data belongs to a different user before documenting.'
Remove the 'When to Use' section which adds no value, and consolidate the two summary tables (Checklist and Quick Reference) into one.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~350+ lines, includes unnecessary sections like 'API Types Overview' table (Claude knows this), explains what IDOR is, lists extensive tool URLs that could be in a separate reference file, and includes a meaningless 'When to Use' section. The 'Purpose', 'Inputs/Prerequisites', and 'Outputs/Deliverables' sections restate obvious information. | 1 / 3 |
Actionability | Provides many concrete payloads and commands that are copy-paste ready (IDOR bypasses, GraphQL introspection, SQL injection payloads), but much of it is presented as isolated snippets without full executable context. The payloads are useful reference material but lack complete scripts or tool invocation patterns that would make them fully actionable workflows. | 2 / 3 |
Workflow Clarity | Steps 1-5 provide a reasonable sequence for API testing, but there are no validation checkpoints or feedback loops. There's no guidance on how to verify a finding is real vs. a false positive, no explicit 'confirm exploitation before reporting' step, and no error recovery guidance within the workflow itself. The troubleshooting table at the end is helpful but disconnected from the workflow. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of text with no references to external files despite being well over 300 lines. The tools reference table, GraphQL-specific testing, injection payloads, and bypass techniques could all be split into separate reference files. No bundle files exist to support this, and the content would benefit enormously from being split into focused sub-documents. | 1 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- boisenoise/skills-collections
- Commit
431bfad
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.