api-security-testing
API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.
51
26%
Does it follow best practices?
Impact
96%
1.10xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/antigravity-api-security-testing/SKILL.mdQuality
Discovery
32%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description identifies a clear domain (API security testing) and lists relevant topic areas, but it reads more like a table of contents than an actionable skill description. It lacks concrete actions (what the skill actually does) and entirely omits trigger guidance (when Claude should use it), which are critical for skill selection from a large pool.
Suggestions
Add an explicit 'Use when...' clause with trigger terms like 'API security', 'pen test API', 'test authentication endpoints', 'check rate limits', 'GraphQL security'.
Replace category names with concrete actions, e.g., 'Tests for broken authentication, checks authorization bypass vulnerabilities, validates rate limiting enforcement, fuzzes API inputs for injection attacks'.
Include common user-facing synonyms and file/tool references like 'OWASP API Top 10', 'JWT tokens', 'OAuth flows', 'Postman', or 'Burp Suite' to improve trigger term coverage.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (API security testing) and lists several areas (authentication, authorization, rate limiting, input validation, security best practices), but these are categories rather than concrete actions. It doesn't specify what actions are performed, like 'tests for broken authentication' or 'fuzzes input parameters'. | 2 / 3 |
Completeness | Describes what the skill covers (API security testing across several domains) but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. Per the rubric, a missing 'Use when...' clause caps completeness at 2, and the 'what' is also somewhat weak (categories rather than actions), placing this at 1. | 1 / 3 |
Trigger Term Quality | Includes relevant keywords like 'API', 'REST', 'GraphQL', 'authentication', 'authorization', 'rate limiting', and 'input validation' which users might naturally mention. However, it misses common variations like 'OWASP', 'pen test', 'vulnerability scan', 'API keys', 'JWT', 'OAuth', or 'security audit'. | 2 / 3 |
Distinctiveness Conflict Risk | The combination of 'API security testing' with 'REST and GraphQL' is fairly specific, but 'security best practices' and 'input validation' are broad enough to overlap with general security skills or web application testing skills. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
20%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is a high-level checklist masquerading as a workflow. It lacks any concrete, executable guidance—no actual commands, code snippets, tool invocations, or specific testing techniques. The repetitive phase structure with generic action items like 'Test JWT tokens' and 'Test SQL injection' provides no value beyond what Claude already knows, making it both verbose and unactionable.
Suggestions
Replace vague action items with concrete, executable examples—e.g., actual curl commands for testing JWT validation, specific GraphQL introspection queries, or example payloads for injection testing.
Add validation checkpoints between phases with specific pass/fail criteria (e.g., 'Confirm all endpoints return 401 without valid auth before proceeding to Phase 3').
Eliminate the repetitive 'Copy-Paste Prompts' sections that just say 'Use @skill-name to do X'—either provide substantive prompts with parameters and expected outputs, or remove them entirely.
Condense the entire skill to focus on the decision logic and specific techniques that differentiate API security testing from generic knowledge, rather than listing obvious steps Claude already understands.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose and repetitive structure. Each phase follows an identical template with vague action lists that add no value Claude doesn't already know. The 'Copy-Paste Prompts' sections are trivially obvious one-liners. The entire skill could be condensed to a fraction of its size. | 1 / 3 |
Actionability | No concrete code, commands, or executable examples anywhere. Every phase consists of vague action items like 'Test JWT tokens' and 'Test SQL injection' without any specific techniques, payloads, tool commands, or code snippets. The 'Copy-Paste Prompts' are just 'Use @skill-name to do X' which provide no real guidance. | 1 / 3 |
Workflow Clarity | The phases are clearly sequenced and the overall flow from discovery through authentication, authorization, input validation, rate limiting, GraphQL, and error handling is logical. However, there are no validation checkpoints between phases, no feedback loops for when tests fail, and no criteria for when to proceed to the next phase. | 2 / 3 |
Progressive Disclosure | References to other skills are present throughout (e.g., @api-fuzzing-bug-bounty, @broken-authentication), providing some progressive disclosure. However, the main content is a monolithic wall of repetitive sections that could be significantly condensed, and the references are not clearly signaled as links to deeper content—they're just skill names without context about what those skills actually provide. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- boisenoise/skills-collections
- Commit
636b862
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.