api-security-best-practices
Implement secure API design patterns including authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities
54
31%
Does it follow best practices?
Impact
100%
1.17xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/antigravity-api-security-best-practices/SKILL.mdQuality
Discovery
32%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description identifies a clear domain (secure API design) and lists several relevant sub-topics, but it reads more like a topic heading than an actionable skill description. It critically lacks a 'Use when...' clause, making it difficult for Claude to know precisely when to select this skill over related ones. The trigger terms are reasonable but miss common user-facing variations.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about API security, securing endpoints, adding authentication/authorization to APIs, or protecting against OWASP API vulnerabilities.'
Include more natural trigger term variations users would say, such as 'OAuth', 'JWT', 'API keys', 'CORS', 'token auth', 'SQL injection', 'OWASP API Top 10'.
Make the actions more concrete by specifying outputs, e.g., 'Generates authentication middleware, implements JWT token flows, adds rate-limiting logic, and validates request payloads against schemas.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists several domain-specific actions (authentication, authorization, input validation, rate limiting, vulnerability protection) but they read more like a category list than concrete actions. It doesn't specify what concrete outputs or transformations are performed (e.g., 'generate middleware code', 'add JWT authentication'). | 2 / 3 |
Completeness | Describes what the skill does (implement secure API design patterns) but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. Per rubric guidelines, a missing 'Use when...' clause caps completeness at 2, and since the 'what' is also somewhat vague, this scores a 1. | 1 / 3 |
Trigger Term Quality | Includes relevant terms like 'authentication', 'authorization', 'rate limiting', 'input validation', and 'API vulnerabilities' that users might mention. However, it misses common natural variations like 'API security', 'OAuth', 'JWT', 'CORS', 'API keys', 'token-based auth', or 'SQL injection'. | 2 / 3 |
Distinctiveness Conflict Risk | The focus on 'secure API design patterns' is somewhat specific, but terms like 'input validation' and 'authentication' could overlap with general security skills, web development skills, or backend development skills. The lack of explicit boundaries increases conflict risk. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
29%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is extremely verbose and monolithic, containing extensive code examples and explanations that would be better split across multiple files. While the code examples themselves are high-quality and executable, the skill wastes significant token budget explaining concepts Claude already knows (SQL injection basics, why HTTPS matters, what rate limiting is). The workflow structure is essentially a topic list rather than a sequenced process with validation checkpoints.
Suggestions
Reduce the SKILL.md to a concise overview (~50-80 lines) with key patterns and decision points, moving the three large code examples into separate bundle files (e.g., examples/jwt-auth.md, examples/input-validation.md, examples/rate-limiting.md)
Remove explanatory content Claude already knows: the 'Why Rate Limiting?' section, OWASP Top 10 descriptions, 'When to Use This Skill' list, and basic concept explanations like what SQL injection is
Replace the vague 5-step workflow with a concrete sequenced process: e.g., '1. Audit endpoints → 2. Add auth middleware → 3. Add input validation → 4. Add rate limiting → 5. Run security tests → 6. Review results and fix issues'
Eliminate the duplicative Do/Don't lists and Security Checklist sections which largely repeat the same information already demonstrated in the code examples
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at 500+ lines. Explains concepts Claude already knows (what SQL injection is, why rate limiting matters, what HTTPS is). The 'Why Rate Limiting?' bullet list, OWASP Top 10 summary, and extensive do/don't lists are all knowledge Claude possesses. The 'When to Use This Skill' section with 8 bullets is unnecessary padding. | 1 / 3 |
Actionability | The code examples are fully executable, complete, and copy-paste ready. JWT authentication, input validation with Zod, rate limiting with Redis, and the common pitfalls all include concrete, working JavaScript code with proper error handling and security patterns demonstrated. | 3 / 3 |
Workflow Clarity | The 5 high-level steps (Authentication, Input Validation, Rate Limiting, Data Protection, Testing) are vague descriptions rather than a clear workflow. There are no validation checkpoints, no feedback loops, and no sequenced process for implementing security. The steps read like a table of contents rather than an actionable workflow. | 1 / 3 |
Progressive Disclosure | Monolithic wall of text with everything inline. No bundle files exist to offload the extensive code examples. The three massive example blocks (JWT, Input Validation, Rate Limiting) should be in separate reference files, with the SKILL.md providing a concise overview and links. Related skills are listed but the content itself is not structured for progressive discovery. | 1 / 3 |
Total | 6 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (916 lines); consider splitting into references/ and linking | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Repository
- boisenoise/skills-collections
- Commit
e41e34a
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.