api-security-best-practices
Implement secure API design patterns including authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities
61
42%
Does it follow best practices?
Impact
97%
1.42xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/antigravity-api-security-best-practices/SKILL.mdQuality
Discovery
42%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description lists concrete security capabilities for API design, which is a strength in specificity. However, it critically lacks any 'Use when...' guidance, making it incomplete for skill selection purposes. It also misses common user-facing trigger terms and variations that would help Claude match this skill to user requests.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about securing APIs, implementing authentication/authorization, protecting endpoints, or hardening API security.'
Include common natural trigger terms users would say, such as 'OAuth', 'JWT', 'API keys', 'CORS', 'token-based auth', 'SQL injection', 'XSS', 'OWASP API security'.
Clarify the scope boundary to reduce overlap, e.g., specify this is for API-specific security patterns rather than general web application security or network security.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities. These are distinct, identifiable security concerns. | 3 / 3 |
Completeness | Describes what the skill does but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. Per the rubric, a missing 'Use when...' clause caps completeness at 2, and since the 'when' is entirely absent, this scores at 1. | 1 / 3 |
Trigger Term Quality | Includes relevant terms like 'authentication', 'authorization', 'rate limiting', 'input validation', and 'API vulnerabilities', but misses common user variations like 'OAuth', 'JWT', 'API keys', 'CORS', 'SQL injection', 'XSS', or 'API security'. | 2 / 3 |
Distinctiveness Conflict Risk | The focus on 'secure API design patterns' is somewhat specific, but could overlap with general security skills, API design skills, or web application security skills. The lack of explicit trigger boundaries increases conflict risk. | 2 / 3 |
Total | 8 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides excellent, executable code examples covering key API security patterns, but is severely bloated—easily 3-4x longer than necessary. It explains many concepts Claude already knows (what SQL injection is, why HTTPS matters, what the OWASP Top 10 items mean) and dumps everything into a single monolithic file rather than using progressive disclosure with referenced sub-documents. The workflow structure is present but lacks explicit validation checkpoints between security implementation phases.
Suggestions
Reduce content by 60-70%: remove explanations of well-known concepts (what SQL injection is, why rate limiting matters, OWASP descriptions), the 'When to Use' section, and the do/don't lists that restate obvious security principles.
Split into multiple files: move JWT implementation to AUTH.md, input validation to VALIDATION.md, rate limiting to RATE-LIMITING.md, and keep SKILL.md as a concise overview with references.
Add explicit validation checkpoints to the workflow: e.g., 'After implementing auth, run `npm audit` and test with curl examples to verify token validation before proceeding to input validation.'
Remove the 'Why Rate Limiting?' bullets and OWASP Top 10 descriptions—Claude knows these. Replace with a single link to the OWASP reference.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at 500+ lines. Explains concepts Claude already knows (what SQL injection is, why rate limiting matters, what HTTPS is). The OWASP Top 10 list, 'Why Rate Limiting?' bullet points, and extensive do/don't lists are all common knowledge for Claude. The 'When to Use This Skill' section with 8 bullet points is unnecessary padding. | 1 / 3 |
Actionability | The code examples are fully executable, complete, and copy-paste ready. JWT authentication, input validation with Zod, rate limiting with Redis, and all common pitfall solutions include working JavaScript code with proper error handling and security patterns. | 3 / 3 |
Workflow Clarity | Steps 1-5 in the 'How It Works' section are listed but lack explicit validation checkpoints or feedback loops. There's no clear 'validate then proceed' pattern for the overall security implementation workflow. The examples themselves show good patterns but the overarching process lacks verification steps (e.g., 'run security scan after implementing auth'). | 2 / 3 |
Progressive Disclosure | Monolithic wall of text with everything inline. The massive code examples for JWT, input validation, and rate limiting should be in separate referenced files. The security checklist, OWASP Top 10, best practices, and common pitfalls sections all compete for attention in a single enormous document with no content split into supporting files. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (911 lines); consider splitting into references/ and linking | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Repository
- boisenoise/skills-collections
- Commit
636b862
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.