api-fuzzing-bug-bounty
Provide comprehensive techniques for testing REST, SOAP, and GraphQL APIs during bug bounty hunting and penetration testing engagements. Covers vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors.
50
55%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Critical
Do not install without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/antigravity-api-fuzzing-bug-bounty/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong description with excellent specificity and trigger term coverage for its security testing niche. It clearly lists concrete capabilities and uses natural terminology that security professionals would search for. The main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about API security testing, API hacking, finding vulnerabilities in APIs, or performing security assessments on web services.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: testing REST/SOAP/GraphQL APIs, vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors. These are concrete, actionable capabilities. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with specific techniques and attack vectors, but lacks an explicit 'Use when...' clause or equivalent trigger guidance. The when is only implied through context (bug bounty, penetration testing). | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'REST', 'SOAP', 'GraphQL', 'API', 'bug bounty', 'penetration testing', 'authentication bypass', 'IDOR'. These are terms security professionals naturally use when seeking this type of guidance. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: API security testing in bug bounty/pentest contexts. The combination of specific API types (REST, SOAP, GraphQL) and specific attack vectors (IDOR, auth bypass) makes it unlikely to conflict with general security or general API skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
27%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads more like a comprehensive cheat sheet or reference manual than a focused, actionable skill file. While it contains genuinely useful payloads and testing patterns, it suffers from significant verbosity, explains concepts Claude already knows, and packs far too much content into a single file without progressive disclosure. The workflow structure exists but lacks validation checkpoints critical for security testing operations.
Suggestions
Split content into multiple files: keep SKILL.md as a concise overview with workflow steps, and move GraphQL testing, tool references, bypass techniques, and injection payloads into separate referenced files (e.g., GRAPHQL.md, TOOLS.md, BYPASSES.md, INJECTIONS.md).
Remove explanatory content Claude already knows (API types overview table, IDOR definition, what PDF/SSRF/XXE are) and replace with just the actionable test patterns.
Add explicit validation checkpoints to the workflow: e.g., 'Confirm target is in scope before proceeding', 'Verify authorization document covers destructive method testing', 'Document findings before escalating to more aggressive tests'.
Remove the 'When to Use' boilerplate section and the 'Outputs/Deliverables' section, which add no actionable value.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~350+ lines, includes unnecessary sections like 'API Types Overview' table (Claude knows this), explains what IDOR is, lists extensive tool URLs that could be in a separate reference file, and includes a meaningless 'When to Use' section. The 'Purpose', 'Inputs/Prerequisites', and 'Outputs/Deliverables' sections restate obvious information. | 1 / 3 |
Actionability | Provides concrete payloads and test patterns that are copy-paste ready (IDOR bypasses, GraphQL introspection, SQL injection in JSON), but many examples are incomplete snippets rather than executable workflows. The reconnaissance commands reference tools without installation steps, and payloads lack context on how to interpret results beyond simple OK/ERROR annotations. | 2 / 3 |
Workflow Clarity | Steps 1-5 provide a reasonable sequence for API testing, but there are no validation checkpoints or feedback loops. For security testing involving potentially destructive operations (DELETE method testing, DoS attempts), there's no guidance on verifying scope or confirming authorization before proceeding. The workflow lacks decision points for what to do when specific results are found. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of text with no bundle files to offload content. The tools reference table, GraphQL-specific testing, endpoint bypass techniques, and PDF export attacks could all be separate reference files. Everything is crammed into a single document with no references to supporting files, making it overwhelming and inefficient for context window usage. | 1 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- boisenoise/skills-collections
- Commit
e41e34a
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.