api-fuzzing-bug-bounty
This skill should be used when the user asks to "test API security", "fuzz APIs", "find IDOR vulnerabilities", "test REST API", "test GraphQL", "API penetration testing", "bug b...
81
Quality
77%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/antigravity-api-fuzzing-bug-bounty/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that excels at trigger term coverage and completeness by explicitly listing when the skill should be used. The description uses appropriate third-person framing and includes specific, natural phrases users would say. The main weakness is that the visible portion focuses more on trigger terms than detailed capability descriptions.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (API security testing) and lists some actions like 'fuzz APIs', 'find IDOR vulnerabilities', but the truncation prevents seeing if it comprehensively lists concrete actions. What's visible mentions testing types but lacks detailed capability descriptions. | 2 / 3 |
Completeness | The description explicitly states 'This skill should be used when...' followed by specific trigger scenarios, clearly answering both what (API security testing, fuzzing, vulnerability finding) and when (explicit list of user phrases that should trigger this skill). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms users would actually say: 'test API security', 'fuzz APIs', 'find IDOR vulnerabilities', 'test REST API', 'test GraphQL', 'API penetration testing', 'bug b...' (likely 'bug bounty'). These are realistic phrases security testers would use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with specific niche focus on API security testing. Terms like 'IDOR vulnerabilities', 'fuzz APIs', 'GraphQL', and 'penetration testing' are unlikely to conflict with general coding or document skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a comprehensive and highly actionable API fuzzing reference with excellent concrete payloads and techniques. However, it's overly long for a single SKILL.md file, lacks validation checkpoints for a security testing workflow, and includes some explanatory content that Claude doesn't need. The content would benefit from being split into focused sub-documents with clearer verification steps.
Suggestions
Add explicit validation checkpoints after each testing phase (e.g., 'Verify vulnerability by checking response differences before proceeding')
Split into separate files: GRAPHQL.md, INJECTION.md, TOOLS.md, with SKILL.md as a concise overview pointing to each
Remove explanatory text like 'Insecure Direct Object Reference is the most common API vulnerability' and the API Types Overview table - Claude knows these concepts
Add a feedback loop for false positive handling: 'If response appears vulnerable, verify with secondary payload before documenting'
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably efficient with good use of tables and code blocks, but includes some unnecessary explanatory text (e.g., 'Insecure Direct Object Reference is the most common API vulnerability') and the API Types Overview table explains concepts Claude already knows. | 2 / 3 |
Actionability | Excellent actionability with copy-paste ready payloads, specific curl commands, concrete GraphQL queries, and executable bash examples. Every technique includes actual test payloads rather than abstract descriptions. | 3 / 3 |
Workflow Clarity | Steps are numbered and sequenced (Steps 1-5), but lacks explicit validation checkpoints and feedback loops. For security testing involving potentially destructive operations, there's no guidance on verifying successful exploitation or handling false positives. | 2 / 3 |
Progressive Disclosure | Content is well-organized with clear sections and tables, but it's a monolithic 300+ line document that could benefit from splitting GraphQL, injection testing, and tool references into separate files. No external file references are provided. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- boisenoise/skills-collections
- Commit
5c5ae21
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.