api-security-testing
API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.
56
Quality
33%
Does it follow best practices?
Impact
96%
1.10xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/antigravity-api-security-testing/SKILL.mdQuality
Discovery
32%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description identifies a clear domain (API security testing) and lists relevant coverage areas, but lacks concrete actions and explicit trigger guidance. It reads more like a topic list than an actionable skill description, and the absence of a 'Use when...' clause significantly weakens its utility for skill selection.
Suggestions
Add a 'Use when...' clause with explicit triggers like 'Use when testing API endpoints for vulnerabilities, reviewing API authentication flows, or when the user mentions API security, penetration testing, or OWASP API risks.'
Replace category names with concrete actions: instead of 'authentication, authorization', use 'test JWT token validation, verify OAuth flows, check for broken access control'.
Include common user terms and variations: 'pentest', 'vulnerability', 'OWASP', 'API keys', 'bearer tokens', 'CORS', 'injection attacks'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (API security testing) and lists several areas covered (authentication, authorization, rate limiting, input validation, security best practices), but these are categories rather than concrete actions like 'test for SQL injection' or 'verify JWT token expiration'. | 2 / 3 |
Completeness | Describes what the skill covers but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. Per rubric guidelines, missing explicit trigger guidance caps this at 2, but the 'what' is also weak (categories not actions), warranting a 1. | 1 / 3 |
Trigger Term Quality | Includes relevant terms like 'API', 'REST', 'GraphQL', 'authentication', 'authorization', 'rate limiting' that users might mention, but missing common variations like 'pentest', 'OWASP', 'vulnerability scan', 'API keys', or 'OAuth'. | 2 / 3 |
Distinctiveness Conflict Risk | The combination of 'API security testing' with 'REST and GraphQL' provides some distinctiveness, but 'security best practices' and 'input validation' are generic enough to potentially overlap with general security or code review skills. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
35%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill functions primarily as a high-level orchestration document that delegates to other skills rather than providing actionable security testing guidance itself. While the workflow structure is logical and the phases cover appropriate security domains, the content lacks concrete techniques, commands, or examples that would make it independently useful. The repetitive phase structure and vague action items like 'Test SQL injection' without any actual methodology significantly reduce its practical value.
Suggestions
Add concrete examples for at least 2-3 key tests per phase (e.g., actual curl commands for testing JWT validation, specific GraphQL introspection queries, rate limit bypass techniques)
Replace vague actions like 'Test API key validation' with specific techniques: 'Test missing key, invalid key, expired key, key in URL vs header'
Add validation checkpoints between phases with specific success criteria (e.g., 'Phase 1 complete when: endpoint list documented, all HTTP methods identified, authentication requirements mapped')
Include at least one executable code snippet demonstrating a common API security test (e.g., testing BOLA/IDOR with parameter manipulation)
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is moderately efficient but includes repetitive structure (every phase has identical format with Skills/Actions/Prompts sections) and some unnecessary items like 'Document findings' that Claude would naturally do. The checklist items are useful but could be more compact. | 2 / 3 |
Actionability | The skill provides only vague direction like 'Test API key validation' and 'Test JWT tokens' without any concrete code, commands, or specific techniques. The 'Copy-Paste Prompts' are just references to other skills rather than executable guidance. No actual testing methodology or tools usage is demonstrated. | 1 / 3 |
Workflow Clarity | The phases are clearly sequenced and the checklist provides some validation structure, but there are no explicit validation checkpoints between phases, no feedback loops for when tests fail, and no guidance on how to verify that each phase was completed successfully before moving on. | 2 / 3 |
Progressive Disclosure | The skill references other skills appropriately but the main content is somewhat monolithic with repetitive phase structures. The references to other skills are clear, but the inline content could be better organized - the identical structure for each phase adds bulk without adding value. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- boisenoise/skills-collections
- Commit
5c5ae21
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.