api-security-best-practices
Implement secure API design patterns including authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities
48
37%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/antigravity-api-security-best-practices/SKILL.mdQuality
Discovery
32%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description covers a reasonable set of security-related API concepts but reads more like a topic list than an actionable skill description. It lacks explicit trigger guidance ('Use when...') and misses common natural language variations users would employ. The description would benefit significantly from concrete action verbs, explicit trigger conditions, and more specific technical terms.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about API security, securing endpoints, adding authentication/authorization to APIs, or protecting against API attacks.'
Include more natural trigger terms and variations users would say, such as 'OAuth', 'JWT', 'API keys', 'CORS', 'SQL injection', 'XSS', 'API security', 'secure endpoints'.
Make actions more concrete by specifying outputs, e.g., 'Generates authentication middleware, implements JWT token validation, adds rate-limiting logic, and creates input sanitization layers for REST APIs.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists several domain-specific actions (authentication, authorization, input validation, rate limiting, vulnerability protection) but they read more like a category list than concrete actions. It doesn't specify what concrete outputs or transformations are performed (e.g., 'generate middleware code', 'add JWT token validation'). | 2 / 3 |
Completeness | Describes what the skill does (implement secure API design patterns) but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. Per rubric guidelines, a missing 'Use when...' clause caps completeness at 2, and the 'what' is also only moderately clear, placing this at 1. | 1 / 3 |
Trigger Term Quality | Includes relevant terms like 'authentication', 'authorization', 'rate limiting', 'input validation', and 'API vulnerabilities' that users might mention. However, it misses common natural variations like 'API security', 'OAuth', 'JWT', 'CORS', 'API keys', 'token-based auth', or 'SQL injection'. | 2 / 3 |
Distinctiveness Conflict Risk | The focus on 'secure API design patterns' is somewhat specific, but terms like 'authentication', 'authorization', and 'input validation' could easily overlap with general security skills, web development skills, or backend development skills. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides excellent, executable code examples covering JWT auth, input validation, rate limiting, and common security pitfalls. However, it is severely bloated—explaining many concepts Claude already knows, listing obvious best practices, and cramming everything into a single monolithic file. The content would benefit enormously from being split into focused reference files with a lean overview, and from removing explanatory text that adds no value for an AI assistant.
Suggestions
Reduce the main file to a concise overview (~50-80 lines) with quick-reference patterns, and move the detailed JWT, input validation, and rate limiting examples into separate referenced files (e.g., JWT_AUTH.md, INPUT_VALIDATION.md, RATE_LIMITING.md).
Remove sections that explain concepts Claude already knows: 'Why Rate Limiting?' bullets, OWASP Top 10 descriptions, 'When to Use This Skill' list, and generic do/don't lists.
Add explicit validation/verification steps to the workflow, such as 'After implementing auth, test with: curl -H "Authorization: Bearer <invalid>" to verify rejection' to create feedback loops.
Consolidate the Security Checklist, Best Practices, and Common Pitfalls into a single concise reference section or separate file, eliminating redundancy between them.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at 500+ lines. Extensively explains concepts Claude already knows (what SQL injection is, why rate limiting matters, what HTTPS is). The OWASP Top 10 list, 'Why Rate Limiting?' section, and many do/don't lists are general knowledge that waste tokens. The 'When to Use This Skill' section lists 8 obvious bullet points. | 1 / 3 |
Actionability | The code examples are fully executable, complete, and copy-paste ready. JWT authentication, input validation with Zod, rate limiting with Redis, and the common pitfalls all include concrete, working JavaScript code with proper error handling. | 3 / 3 |
Workflow Clarity | Steps 1-5 in 'How It Works' are listed but are abstract descriptions rather than actionable sequences. There are no validation checkpoints or feedback loops between steps. The examples within each section are clear individually but the overall workflow for securing an API lacks explicit verification steps (e.g., 'run security scan after implementing auth'). | 2 / 3 |
Progressive Disclosure | Monolithic wall of text with everything inline. The massive code examples for JWT, input validation, and rate limiting should be in separate referenced files. The security checklist, OWASP Top 10, best practices, and common pitfalls all compete for attention in a single file with no clear hierarchy or navigation to external documents. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (916 lines); consider splitting into references/ and linking | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Repository
- boisenoise/skills-collections
- Commit
431bfad
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.