scanning-api-security
Detect API security vulnerabilities including injection, broken auth, and data exposure. Use when scanning APIs for security vulnerabilities. Trigger with phrases like "scan API security", "check for vulnerabilities", or "audit API security".
54
62%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/api-development/api-security-scanner/skills/scanning-api-security/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a solid description that clearly communicates its purpose and provides explicit trigger guidance. Its main weakness is that the capability description could be more specific about concrete actions beyond 'detect' — for example, what kind of output or analysis it produces. The trigger terms and completeness are strong, making it easy for Claude to select appropriately.
Suggestions
Expand the specificity of actions beyond 'detect' — e.g., 'Scans API endpoints for injection flaws, analyzes authentication flows, identifies data exposure risks, and generates remediation recommendations.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (API security) and lists some vulnerability categories (injection, broken auth, data exposure), but doesn't describe concrete actions beyond 'detect'. It lacks specifics like what outputs are produced, what formats are supported, or what remediation steps are provided. | 2 / 3 |
Completeness | Clearly answers both 'what' (detect API security vulnerabilities including injection, broken auth, data exposure) and 'when' (explicit 'Use when' clause and 'Trigger with' clause specifying scanning APIs for security vulnerabilities with example phrases). | 3 / 3 |
Trigger Term Quality | Includes natural trigger phrases users would say: 'scan API security', 'check for vulnerabilities', 'audit API security'. Also includes domain terms like 'injection', 'broken auth', 'data exposure' that users might mention. Good coverage of natural language variations. | 3 / 3 |
Distinctiveness Conflict Risk | Clearly scoped to API security vulnerabilities specifically, with distinct trigger terms like 'scan API security' and 'audit API security'. Unlikely to conflict with general code review, web security, or other security-adjacent skills due to the specific API focus. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
35%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill covers API security scanning comprehensively but suffers from verbosity—it explains security concepts Claude already understands rather than providing targeted, executable instructions. The workflow is logically ordered but lacks concrete code/commands (grep patterns, specific tool invocations) and validation checkpoints. Referenced bundle files don't exist, undermining the progressive disclosure structure.
Suggestions
Replace descriptive steps with concrete, executable commands—e.g., provide actual grep patterns for finding unprotected routes, specific nuclei templates for OWASP checks, or code snippets for detecting mass assignment in common frameworks.
Remove explanations of well-known security concepts (BOLA definition, what CORS is, what mass assignment means) and instead focus on the specific detection patterns and tool configurations Claude should use.
Add explicit validation checkpoints in the workflow, such as 'After step 3, verify BOLA findings by cross-referencing with the endpoint-auth-matrix before proceeding' to create feedback loops.
Either provide the referenced bundle files (implementation.md, errors.md, examples.md) or move the inline error table and examples into those files to create a cleaner progressive disclosure structure.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is verbose and explains many concepts Claude already knows well (OWASP Top 10 categories, what BOLA is, what mass assignment is, what CORS headers are). The error handling table, examples section, and prerequisites all contain explanatory content that doesn't add actionable value. Much of this reads like a security textbook rather than targeted instructions. | 1 / 3 |
Actionability | The instructions provide a reasonable sequence of what to check but lack concrete, executable commands or code snippets. Steps like 'Scan all route definitions using Grep' don't provide actual grep patterns. No specific code examples for detecting any of the vulnerability classes are given—it describes what to look for rather than showing how to do it. | 2 / 3 |
Workflow Clarity | The 9 steps are sequenced logically and cover the scan process, but there are no validation checkpoints or feedback loops. For a security scanning workflow that could produce false positives/negatives, there's no explicit verify-and-iterate cycle within the main workflow. The error handling table partially compensates but is separate from the workflow itself. | 2 / 3 |
Progressive Disclosure | The skill references external files (implementation.md, errors.md, examples.md) which is good structure, but no bundle files are provided, making these references dead links. The main file itself contains substantial inline content (error table, examples) that could have been deferred to those referenced files, creating an inconsistent split between what's inline and what's referenced. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
6e9558f
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.