api-security-testing
API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.
40
26%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/antigravity-api-security-testing/SKILL.mdQuality
Discovery
32%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description identifies a clear domain (API security testing) and lists relevant topic areas, but it reads more like a table of contents than an actionable skill description. It lacks concrete actions (what does it actually do—generate tests? review code? produce reports?) and entirely omits explicit trigger guidance for when Claude should select this skill.
Suggestions
Add a 'Use when...' clause with explicit triggers, e.g., 'Use when the user asks to test API endpoints for vulnerabilities, review API security configurations, or check for OWASP API Top 10 issues.'
Replace category labels with concrete actions, e.g., 'Tests authentication flows for broken auth, checks authorization boundaries between roles, validates rate limiting configurations, and fuzzes input parameters for injection vulnerabilities.'
Include additional natural trigger terms users might say, such as 'pentest', 'vulnerability', 'OWASP', 'JWT', 'OAuth', 'API keys', or 'endpoint security'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (API security testing) and lists several areas (authentication, authorization, rate limiting, input validation, security best practices), but these are categories rather than concrete actions. It doesn't specify what actions are performed, like 'tests for broken authentication' or 'fuzzes input parameters'. | 2 / 3 |
Completeness | Describes what the skill covers at a high level but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. Per the rubric, a missing 'Use when...' clause should cap completeness at 2, and since the 'what' is also somewhat vague (listing topics rather than actions), this falls to 1. | 1 / 3 |
Trigger Term Quality | Includes relevant keywords like 'API', 'REST', 'GraphQL', 'authentication', 'authorization', 'rate limiting', and 'input validation' which users might naturally mention. However, it misses common variations like 'OWASP', 'pentest', 'vulnerability scanning', 'API keys', 'JWT', 'OAuth', or 'endpoint security'. | 2 / 3 |
Distinctiveness Conflict Risk | The combination of 'API security testing' with 'REST and GraphQL' provides some distinctiveness, but terms like 'authentication', 'authorization', and 'input validation' could overlap with general security skills, web development skills, or API development skills. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
20%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is a high-level checklist masquerading as a workflow. It provides no concrete, executable guidance—every phase is a list of vague actions delegated to other skills via trivial prompts. The repetitive template structure wastes tokens without adding actionable value, and the absence of specific commands, payloads, code examples, or validation steps makes it nearly useless as practical guidance.
Suggestions
Replace vague action items with concrete, executable examples—e.g., specific curl commands for testing JWT validation, example GraphQL introspection queries, or specific payloads for injection testing.
Add validation checkpoints between phases with specific pass/fail criteria (e.g., 'Confirm all endpoints return 401 without valid auth before proceeding to Phase 3').
Eliminate the repetitive per-phase template structure and consolidate into a concise table or compact list that maps phases to skills and key actions.
Remove the 'Copy-Paste Prompts' sections entirely or replace them with substantive, parameterized prompts that include target-specific details.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose and repetitive. Each phase follows an identical template with vague action lists that add no value Claude doesn't already know. The 'Copy-Paste Prompts' sections are trivial one-liners that don't justify their own headings. The entire document could be condensed to a fraction of its size. | 1 / 3 |
Actionability | No concrete code, commands, or executable examples anywhere. Every phase consists of vague action items like 'Test JWT tokens' and 'Test parameter validation' without any specific techniques, tools, payloads, or commands. The 'Copy-Paste Prompts' are just generic delegation statements to other skills, not actionable guidance. | 1 / 3 |
Workflow Clarity | The phases are clearly sequenced and the overall structure provides a logical progression from discovery through various testing types. However, there are no validation checkpoints between phases, no feedback loops for when tests fail, and no criteria for when to proceed to the next phase. | 2 / 3 |
Progressive Disclosure | References to other skills are present and clearly signaled, which is good. However, the main document is bloated with repetitive structure that could be condensed, and the references are shallow delegations rather than well-signaled pointers to detailed content. The document itself is a wall of similarly-structured sections. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- boisenoise/skills-collections
- Commit
431bfad
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.