api-security-best-practices
Implement secure API design patterns including authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities
56
Quality
46%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./docs/v19.7/configuration/agent/skills_external/antigravity-awesome-skills-main/skills/api-security-best-practices/SKILL.mdQuality
Discovery
42%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description effectively lists specific security capabilities for API design, demonstrating good technical specificity. However, it critically lacks any 'Use when...' guidance, making it difficult for Claude to know when to select this skill over others. The trigger terms are adequate but could benefit from more natural user language variations.
Suggestions
Add a 'Use when...' clause with explicit triggers like 'Use when designing secure APIs, implementing authentication flows, adding rate limiting, or protecting against OWASP API vulnerabilities'
Include common user terms and variations such as 'OAuth', 'JWT tokens', 'API keys', 'API security', 'secure REST endpoints', 'API protection'
Clarify the boundary with related skills by specifying this is for API-specific security rather than general application security or authentication systems
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities. These are distinct, actionable security patterns. | 3 / 3 |
Completeness | Describes what the skill does (implement secure API patterns) but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. | 1 / 3 |
Trigger Term Quality | Contains relevant technical terms like 'API', 'authentication', 'authorization', 'rate limiting' that users might say, but missing common variations like 'OAuth', 'JWT', 'API keys', 'security', 'secure endpoints', or 'API protection'. | 2 / 3 |
Distinctiveness Conflict Risk | The focus on 'secure API design patterns' provides some specificity, but could overlap with general security skills, authentication skills, or API development skills without clearer boundaries. | 2 / 3 |
Total | 8 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides excellent, production-ready code examples for API security implementation, but suffers from severe verbosity that wastes context window space. The content explains concepts Claude already understands (what DDoS is, why passwords should be hashed) and could be reduced by 60-70% while maintaining all actionable value. The structure would benefit from splitting detailed examples into separate reference files.
Suggestions
Remove explanatory sections like 'Why Rate Limiting?', 'The Problem' narratives, and OWASP descriptions - Claude knows these concepts
Split the three large examples into separate reference files (e.g., JWT_AUTH.md, INPUT_VALIDATION.md, RATE_LIMITING.md) and link from a concise overview
Add explicit validation checkpoints to workflows, e.g., 'Test authentication endpoint with invalid token before proceeding to protected routes'
Condense the 'Best Practices' and 'Don't Do This' sections into a single compact checklist without explanations
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at 700+ lines with extensive explanations Claude already knows (what JWT is, why rate limiting matters, basic security concepts). The 'Why Rate Limiting?' section and OWASP explanations are unnecessary padding. | 1 / 3 |
Actionability | Provides fully executable, copy-paste ready code examples with complete implementations for JWT authentication, input validation with Zod, rate limiting with Redis, and security middleware. Code is production-quality with proper error handling. | 3 / 3 |
Workflow Clarity | Steps are listed (Step 1-5 in overview) but lack explicit validation checkpoints. The examples show implementation but don't include verification steps like 'test this endpoint before proceeding' or feedback loops for security testing. | 2 / 3 |
Progressive Disclosure | References related skills and external resources at the end, but the main content is a monolithic wall of text. The three massive examples could be split into separate files (JWT.md, INPUT_VALIDATION.md, RATE_LIMITING.md) with the SKILL.md providing a concise overview. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (908 lines); consider splitting into references/ and linking | Warning |
Total | 10 / 11 Passed | |
- Repository
- duclm1x1/Dive-Ai
- Commit
20ba150
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.