CtrlK
BlogDocsLog inGet started
Tessl Logo

api-security-best-practices

Implement secure API design patterns including authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities

74

1.17x
Quality

Does it follow best practices?

Impact

100%

1.17x

Average score across 3 eval scenarios

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The skill is highly actionable with concrete executable code, but it is verbose and monolithic. Workflow clarity and progressive disclosure suffer from a lack of explicit validation feedback loops and the absence of any external reference files.

Suggestions

Move the three long worked examples (JWT, input validation, rate limiting) into separate reference files and link to them from a concise overview to improve progressive disclosure and conciseness.

Add an explicit validate -> fix -> retry loop for the security-testing step (e.g., run OWASP checks, review failures, re-test) to raise workflow clarity.

Trim generic explanations Claude already knows (OWASP Top 10 restatement, Do/Don't boilerplate) to tighten token efficiency.

DimensionReasoningScore

Conciseness

The ~900-line body is mostly accurate but padded with explanations Claude already knows (e.g., restating the OWASP API Top 10, generic Do/Don't lists) and could be tightened considerably.

2 / 3

Actionability

Provides fully executable, copy-paste-ready code for JWT auth, parameterized queries, Zod validation, rate limiting, and Helmet config with real library calls.

3 / 3

Workflow Clarity

Steps 1-5 are sequenced and testing appears in Step 5, but the steps read as topical categories rather than an operational flow, and there is no explicit validate-fix-retry feedback loop for risky operations.

2 / 3

Progressive Disclosure

Everything lives in a single monolithic SKILL.md with no references/scripts/assets bundle; the large example blocks are content that should be split into one-level-deep reference files.

2 / 3

Total

9

/

12

Passed

Description

60%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is specific about capabilities but lacks any explicit usage trigger, capping completeness. It is distinct enough in topic yet overlaps with several related security skills.

Suggestions

Add a 'Use when...' clause naming natural triggers such as 'Use when building or reviewing APIs, securing endpoints, or hardening against OWASP API Top 10 risks'.

Include more conversational trigger phrases users would actually say (e.g., 'secure my API', 'API authentication', 'OWASP') to improve trigger-term quality.

Sharpen distinctiveness by scoping to 'design-time API security patterns' to reduce overlap with testing-focused sibling skills.

DimensionReasoningScore

Specificity

Lists multiple concrete actions — 'authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities' — matching the multi-action anchor.

3 / 3

Completeness

Clearly states what it does but omits any 'Use when...' trigger, so 'when' is missing rather than explicit; per guideline a missing trigger caps completeness at 2.

2 / 3

Trigger Term Quality

Contains relevant terms ('secure API design', 'authentication', 'rate limiting') but leans technical and lacks common user phrasings like 'secure my API' or 'OWASP'.

2 / 3

Distinctiveness Conflict Risk

The API-security niche is reasonably specific but overlaps with sibling skills like authentication and SQL-injection testing referenced in the body.

2 / 3

Total

9

/

12

Passed

Validation

87%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation14 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

skill_md_line_count

SKILL.md is long (916 lines); consider splitting into references/ and linking

Warning

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

14

/

16

Passed

Repository
boisenoise/skills-collections
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.