Content
65%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
A highly actionable API-fuzzing reference rich in concrete payloads and commands, organized into a sequenced workflow and tables. Its weaknesses are a monolithic, slightly redundant structure with no external references and no validation checkpoints in the workflow.
Suggestions
Add validation/feedback checkpoints to the Core Workflow (e.g. 'Confirm endpoint exists before IDOR testing; re-run with a low-priv token to verify cross-user access'), which would lift workflow clarity.
Split the large reference material (GraphQL-Specific Testing, Tools Reference, Common Vulnerabilities Checklist) into bundled reference files and link to them from SKILL.md to improve progressive disclosure and reduce redundancy.
Consolidate the overlapping Common API Vulnerabilities, Quick Reference, and Tools Reference tables into a single cross-referenced table to tighten conciseness.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The body is mostly efficient — commands, payloads, and tables with no concept explanations — but at ~430 lines it repeats overlapping material across the Common API Vulnerabilities, Quick Reference, and Tools Reference tables, so it is tighter than verbose but could still be consolidated; not the lean level-3 anchor. | 2 / 3 |
Actionability | Provides fully executable, copy-paste-ready payloads, curl commands, GraphQL queries, and bash snippets (e.g. the boolean SQLi JSON ladder, IDOR bypass payloads, introspection query), matching the concrete copy-paste-ready anchor. | 3 / 3 |
Workflow Clarity | The Core Workflow sequences Steps 1–5 (Recon → Auth → IDOR → Injection → Method), but there are no validation checkpoints or fix→retry feedback loops, so it sits at 'sequence present but checkpoints missing' rather than the level-3 anchor with explicit validation. | 2 / 3 |
Progressive Disclosure | Sections are well organized with tables, but the ~430-line body is monolithic with no external reference files and inline content (GraphQL testing, tools reference, checklists) that could be split; it exceeds the <50-line simple-skill exception, so it does not reach level 3. | 2 / 3 |
Total | 9 / 12 Passed |