CtrlK
BlogDocsLog inGet started
Tessl Logo

api-security-testing

API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.

64

Quality

77%

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

Fix and improve this skill with Tessl

tessl review fix ./skills/antigravity-api-security-testing/SKILL.md
SKILL.md
Quality
Evals
Security

Quality

Content

72%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The content is a lean, well-organized workflow with clear phase sequencing, but its test actions are descriptive rather than executable and it lacks inter-phase validation checkpoints.

Suggestions

Add per-phase validation/verification checkpoints (e.g., 'Confirm all enumerated endpoints are documented before moving to Phase 2') to support a feedback loop and raise workflow clarity.

Make actions more executable by pairing each test category with a concrete command or tool invocation rather than a bare 'Test X' item.

Consolidate the seven formulaic 'Copy-Paste Prompts' blocks into a single reference table to reduce structural redundancy.

DimensionReasoningScore

Conciseness

The body is lean and assumes Claude's competence — phases are short lists of actions and prompts with no explanatory padding about what APIs or security concepts are, so every section earns its place.

3 / 3

Actionability

It provides copy-paste skill-invocation prompts and concrete test categories ('Test JWT tokens', 'Test query depth'), but the actions describe what to test rather than giving executable commands, fitting the 'some concrete guidance but incomplete' anchor.

2 / 3

Workflow Clarity

Seven phases are clearly sequenced and a final Quality Gates checklist provides end-state verification, but there are no per-phase validation checkpoints or feedback loops between phases, so checkpoints are only implicit.

2 / 3

Progressive Disclosure

No bundle files exist, so the skill is appropriately self-contained; the single SKILL.md is well-organized into labeled sections (Overview, Phases, Checklist, Quality Gates, Limitations) with easy navigation.

3 / 3

Total

10

/

12

Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is specific and uses natural trigger terms within a clear API-security niche, but it omits any explicit 'Use when' guidance, which caps completeness at 2.

Suggestions

Add an explicit trigger clause, e.g. 'Use when testing REST or GraphQL API security, or when the user mentions API authentication, rate limiting, or input validation.'

Trim the trailing 'and security best practices' which is vague fluff that adds no concrete capability.

Confirm third-person voice is preserved throughout (it currently is) to protect the specificity score.

DimensionReasoningScore

Specificity

Names the domain (REST and GraphQL APIs) and lists multiple concrete capability areas — 'authentication, authorization, rate limiting, input validation, and security best practices' — matching the 'lists multiple specific concrete actions' anchor.

3 / 3

Completeness

It clearly states what the skill does, but there is no 'Use when...' clause or equivalent explicit trigger guidance, so per the judging guidelines completeness is capped at 2.

2 / 3

Trigger Term Quality

Includes natural terms a user would actually say ('API security testing', 'rate limiting', 'authentication', 'authorization', 'REST and GraphQL APIs'), giving good coverage rather than jargon.

3 / 3

Distinctiveness Conflict Risk

The API-security niche scoped to REST and GraphQL APIs is a clear, distinct focus unlikely to trigger for unrelated skills.

3 / 3

Total

11

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
boisenoise/skills-collections
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.