performing-penetration-testing
This skill enables automated penetration testing of web applications. It uses the penetration-tester plugin to identify vulnerabilities, including OWASP Top 10 threats, and suggests exploitation techniques. Use this skill when the user requests a "penetration test", "pentest", "vulnerability assessment", or asks to "exploit" a web application. It provides comprehensive reporting on identified security flaws.
86
44%
Does it follow best practices?
Impact
90%
1.00xAverage score across 12 eval scenarios
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./backups/skills-migration-20251108-070147/plugins/security/penetration-tester/skills/penetration-tester/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a solid skill description that clearly communicates its purpose and includes explicit trigger guidance. Its main weakness is that the specific capabilities could be more granular—listing concrete testing actions (e.g., SQL injection, XSS, CSRF testing) rather than broad categories like 'OWASP Top 10 threats'. The trigger terms and completeness are strong points.
Suggestions
Replace the general 'OWASP Top 10 threats' reference with specific concrete actions like 'test for SQL injection, cross-site scripting (XSS), broken authentication, CSRF, and insecure deserialization' to improve specificity.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (penetration testing of web applications) and some actions (identify vulnerabilities, suggests exploitation techniques, comprehensive reporting), but the actions are somewhat general rather than listing multiple concrete specific operations like 'SQL injection testing, XSS scanning, authentication bypass attempts'. | 2 / 3 |
Completeness | Clearly answers both 'what' (automated penetration testing, identifying vulnerabilities including OWASP Top 10, suggesting exploitation techniques, comprehensive reporting) and 'when' (explicit 'Use this skill when...' clause with specific trigger phrases). | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms: 'penetration test', 'pentest', 'vulnerability assessment', 'exploit', 'web application', 'OWASP Top 10'. These are terms users would naturally use when requesting this type of work. | 3 / 3 |
Distinctiveness Conflict Risk | The description carves out a clear niche around penetration testing and exploitation of web applications with distinct trigger terms like 'pentest' and 'exploit' that are unlikely to conflict with general security or development skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill content is essentially a marketing description rather than an actionable skill. It lacks any concrete code, commands, plugin invocation syntax, or executable guidance. The entire document describes what the skill does in abstract terms without ever showing Claude how to actually perform penetration testing using the referenced plugin.
Suggestions
Add concrete plugin invocation syntax showing exactly how to call the penetration-tester plugin with specific parameters (e.g., target URL, scan type, scope configuration).
Replace the abstract examples with executable workflows showing actual commands, expected output formats, and how to parse/present results to the user.
Add explicit validation checkpoints and safety gates: verify authorization confirmation from user before proceeding, validate target scope, check scan results before attempting exploitation techniques.
Remove the 'When to Use This Skill' and 'Overview' sections which duplicate the frontmatter description, and replace with actionable content like report templates or output schemas.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is verbose and padded with information Claude already knows. Sections like 'When to Use This Skill' repeat the description, 'How It Works' describes obvious steps at a high level, and 'Best Practices' states things like 'ensure you have authorization' which are common knowledge. Nearly every section explains concepts rather than providing actionable new information. | 1 / 3 |
Actionability | There is no concrete code, no executable commands, no specific tool invocations, and no actual plugin usage syntax. The examples describe what 'the skill will' do in abstract terms rather than showing how to actually invoke the penetration-tester plugin or what commands/parameters to use. Everything is descriptive rather than instructive. | 1 / 3 |
Workflow Clarity | The workflow steps are vague abstractions ('Initiate a comprehensive penetration test', 'Generate a detailed report') with no concrete sequencing, no validation checkpoints, no error handling, and no feedback loops. For a skill involving potentially destructive security testing operations, the complete absence of validation steps and safety checks is a critical gap. | 1 / 3 |
Progressive Disclosure | The content is a monolithic block with no references to external files, no linked resources, and no structured navigation to deeper content. The 'Integration' section vaguely mentions other tools without any concrete references. There are no bundle files to support the skill. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Commit
13d35b8
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.