performing-penetration-testing
This skill enables automated penetration testing of web applications. It uses the penetration-tester plugin to identify vulnerabilities, including OWASP Top 10 threats, and suggests exploitation techniques. Use this skill when the user requests a "penetration test", "pentest", "vulnerability assessment", or asks to "exploit" a web application. It provides comprehensive reporting on identified security flaws.
Install with Tessl CLI
npx tessl i github:jeremylongshore/claude-code-plugins-plus-skills --skill performing-penetration-testing86
Quality
48%
Does it follow best practices?
Impact
90%
1.00xAverage score across 12 eval scenarios
Optimize this skill with Tessl
npx tessl skill review --optimize ./backups/skills-migration-20251108-070147/plugins/security/penetration-tester/skills/penetration-tester/SKILL.mdDiscovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-structured skill description with strong trigger terms and explicit usage guidance. The main weakness is that the capabilities could be more specific - listing concrete testing actions rather than general categories. The description correctly uses third person voice and provides clear differentiation from other skills.
Suggestions
Add more specific concrete actions such as 'scan for SQL injection, test XSS vulnerabilities, enumerate endpoints, test authentication mechanisms' to improve specificity.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (penetration testing of web applications) and mentions some actions (identify vulnerabilities, suggests exploitation techniques, provides reporting), but lacks specific concrete actions like 'scan for SQL injection, test authentication bypasses, enumerate endpoints'. | 2 / 3 |
Completeness | Clearly answers both what (automated penetration testing, identifies vulnerabilities, suggests exploitation techniques, provides reporting) AND when (explicit 'Use this skill when...' clause with specific trigger phrases). | 3 / 3 |
Trigger Term Quality | Includes excellent natural trigger terms users would say: 'penetration test', 'pentest', 'vulnerability assessment', 'exploit', 'web application', and 'OWASP Top 10'. Good coverage of common variations. | 3 / 3 |
Distinctiveness Conflict Risk | Clear niche focused on web application penetration testing with distinct triggers like 'pentest', 'vulnerability assessment', and 'exploit'. Unlikely to conflict with general security or coding skills due to specific terminology. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
7%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill content is largely descriptive rather than instructive, explaining what penetration testing is rather than how to execute it with the available tools. It lacks any concrete commands, code examples, or actual tool invocations, making it unusable as practical guidance. The content would benefit from showing actual plugin usage syntax and specific validation steps for security operations.
Suggestions
Add concrete examples showing actual penetration-tester plugin commands/API calls with expected output formats
Remove explanatory content about what penetration testing is and OWASP Top 10 - Claude already knows these concepts
Add explicit validation checkpoints: how to verify scan completion, how to handle failed scans, how to confirm authorization before proceeding
Include actual command syntax or code snippets that are copy-paste ready for initiating scans and parsing results
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is verbose and explains concepts Claude already knows (what penetration testing is, OWASP Top 10, basic security concepts). The 'When to Use This Skill' section repeats information from the description, and 'How It Works' describes obvious workflow steps without adding value. | 1 / 3 |
Actionability | No concrete code, commands, or executable guidance provided. The examples describe what 'the skill will' do abstractly rather than showing actual commands, API calls, or tool invocations. There's no indication of how to actually use the 'penetration-tester plugin' mentioned. | 1 / 3 |
Workflow Clarity | The workflow is vague and lacks any validation checkpoints. Steps like 'Initiate a comprehensive penetration test' provide no actual sequence of operations. For security-critical operations, there are no verification steps, error handling, or feedback loops for when scans fail or produce unexpected results. | 1 / 3 |
Progressive Disclosure | The content is organized into logical sections with clear headers, but it's a monolithic document with no references to external files for detailed API usage, tool configuration, or advanced techniques. The 'Integration' section hints at more capabilities but provides no navigation to learn more. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.