api-security-best-practices
Implement secure API design patterns including authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities
63
Quality
46%
Does it follow best practices?
Impact
97%
1.42xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/antigravity-api-security-best-practices/SKILL.mdQuality
Discovery
42%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description effectively lists specific security capabilities for API design, demonstrating good specificity. However, it critically lacks any 'Use when...' guidance, making it difficult for Claude to know when to select this skill over others. The trigger terms are adequate but could include more user-friendly variations and common security terminology.
Suggestions
Add a 'Use when...' clause with explicit triggers like 'Use when designing REST APIs, implementing OAuth/JWT authentication, securing endpoints, or when the user mentions API security, token validation, or protecting against injection attacks.'
Include more natural trigger terms users might say: 'OAuth', 'JWT', 'API keys', 'CORS', 'secure my API', 'prevent injection', 'token-based auth'
Clarify the boundary with related skills by specifying this is for API-specific security patterns rather than general application security or authentication systems.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities. These are distinct, actionable security patterns. | 3 / 3 |
Completeness | Describes what the skill does (implement secure API design patterns) but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. | 1 / 3 |
Trigger Term Quality | Contains relevant technical terms like 'authentication', 'authorization', 'rate limiting', 'API vulnerabilities' that users might mention, but missing common variations like 'OAuth', 'JWT', 'API keys', 'CORS', 'injection attacks', or 'secure endpoints'. | 2 / 3 |
Distinctiveness Conflict Risk | Focuses on API security which is a specific niche, but could overlap with general security skills, authentication skills, or API development skills without clearer boundaries on when this specific skill applies. | 2 / 3 |
Total | 8 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides excellent, production-ready code examples for API security implementation, but suffers from severe verbosity. It explains concepts Claude already understands (what PDFs are equivalent: what JWT is, why security matters) and could be reduced by 60-70% while maintaining all actionable content. The structure would benefit from splitting detailed examples into separate reference files.
Suggestions
Remove explanatory sections like 'Why Rate Limiting?' and 'The Problem' headers - jump directly to solutions with brief context
Move detailed code examples to separate files (e.g., examples/jwt-auth.md, examples/rate-limiting.md) and keep SKILL.md as a concise overview with links
Add explicit validation checkpoints to workflows, e.g., 'Test authentication endpoint with invalid token before proceeding to authorization'
Remove the OWASP Top 10 explanations - Claude knows these; instead provide a simple checklist linking to specific code patterns in the skill
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at 600+ lines with extensive explanations Claude already knows (what JWT is, why rate limiting matters, basic security concepts). The 'Why Rate Limiting?' section explaining obvious benefits and the lengthy OWASP descriptions are unnecessary padding. | 1 / 3 |
Actionability | Provides fully executable, copy-paste ready code examples with complete implementations for JWT authentication, input validation with Zod, rate limiting with Redis, and security middleware. Code is production-quality with proper error handling. | 3 / 3 |
Workflow Clarity | Steps are listed in the overview (Step 1-5) but lack explicit validation checkpoints. The examples show good patterns but don't include verification steps like 'test this endpoint before proceeding' or feedback loops for security testing. | 2 / 3 |
Progressive Disclosure | References related skills and external resources at the end, but the main content is a monolithic wall of text. The extensive code examples could be split into separate files (e.g., JWT_AUTH.md, INPUT_VALIDATION.md) with the main skill providing a concise overview. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (911 lines); consider splitting into references/ and linking | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Repository
- boisenoise/skills-collections
- Commit
5c5ae21
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.