fuzzing-apis
This skill enables Claude to perform automated fuzz testing on APIs to discover vulnerabilities, crashes, and unexpected behavior. It leverages malformed inputs, boundary values, and random payloads to generate comprehensive fuzz test suites. Use this skill when you need to identify potential SQL injection, XSS, command injection vulnerabilities, input validation failures, and edge cases in APIs. Trigger this skill by requesting fuzz testing, vulnerability scanning, or security analysis of an API. The skill is invoked using the `/fuzz-api` command.
63
53%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./backups/skills-migration-20251108-070147/plugins/testing/api-fuzzer/skills/api-fuzzer/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly articulates specific capabilities (fuzz testing with malformed inputs, boundary values, random payloads), names concrete vulnerability types (SQL injection, XSS, command injection), and provides explicit trigger guidance including a command. The description is well-structured with both 'what' and 'when' clearly addressed, though it is slightly verbose and uses second person ('you need') in one place.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'fuzz testing on APIs', 'discover vulnerabilities, crashes, and unexpected behavior', 'malformed inputs, boundary values, and random payloads', 'generate comprehensive fuzz test suites', and specific vulnerability types like 'SQL injection, XSS, command injection'. | 3 / 3 |
Completeness | Clearly answers both 'what' (automated fuzz testing on APIs using malformed inputs, boundary values, random payloads) and 'when' ('Use this skill when you need to identify potential SQL injection, XSS...', 'Trigger this skill by requesting fuzz testing, vulnerability scanning, or security analysis'). | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms users would say: 'fuzz testing', 'vulnerability scanning', 'security analysis', 'SQL injection', 'XSS', 'command injection', 'input validation', 'edge cases', and the explicit command '/fuzz-api'. | 3 / 3 |
Distinctiveness Conflict Risk | Occupies a clear niche of API fuzz testing and security vulnerability discovery, with distinct triggers like '/fuzz-api', 'fuzz testing', and specific vulnerability types that are unlikely to conflict with general testing or coding skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
7%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads like a marketing description of fuzz testing rather than actionable instructions for Claude. It lacks any concrete code, specific payloads, tool commands, or executable examples. The content explains concepts Claude already understands while failing to provide the specific, novel guidance that would enable Claude to actually perform fuzz testing.
Suggestions
Replace abstract descriptions with concrete, executable code examples showing actual HTTP requests with specific fuzzing payloads (e.g., SQL injection strings, XSS vectors, boundary values).
Add a concrete workflow with specific tools/libraries to use (e.g., Python requests library), actual payload lists, and explicit validation steps for analyzing responses (status codes, error patterns to look for).
Remove the 'How It Works' and 'When to Use' sections entirely — Claude already knows what fuzz testing is. Use that space for actionable content like payload dictionaries and response analysis patterns.
Include example input/output showing the exact format of a fuzz test report, including how vulnerabilities should be categorized and reported.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is verbose and explains concepts Claude already knows (what fuzz testing is, what SQL injection is, what input validation means). The 'How It Works' section describes obvious steps, and the 'When to Use' section repeats information from the overview. Much of this could be cut without losing actionable value. | 1 / 3 |
Actionability | There is no executable code, no concrete commands, no specific payloads, no API call examples, and no tool usage instructions. The examples describe what the skill 'will do' in abstract terms rather than providing concrete implementation details like actual fuzzing payloads, HTTP request formats, or analysis scripts. | 1 / 3 |
Workflow Clarity | The workflow steps are vague descriptions ('generate payloads', 'send inputs', 'analyze responses') with no concrete sequencing, no validation checkpoints, no error handling, and no feedback loops. There's no guidance on how to actually execute any of these steps or what to do when issues are found. | 1 / 3 |
Progressive Disclosure | The content is organized into logical sections with clear headers, which provides some structure. However, there are no references to supporting files, no bundle files exist, and content that could benefit from separate detailed references (e.g., payload libraries, analysis techniques) is neither included nor referenced. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Commit
13d35b8
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.