scanning-api-security
tessl i github:jeremylongshore/claude-code-plugins-plus-skills --skill scanning-api-securityDetect API security vulnerabilities including injection, broken auth, and data exposure. Use when scanning APIs for security vulnerabilities. Trigger with phrases like "scan API security", "check for vulnerabilities", or "audit API security".
Validation
81%| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
metadata_version | 'metadata' field is not a dictionary | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 13 / 16 Passed | |
Implementation
7%This skill content fundamentally mismatches its stated purpose. The description promises API security vulnerability scanning (injection, broken auth, data exposure), but the content describes generic API development workflows. There are no security scanning tools, vulnerability detection techniques, or security-specific guidance whatsoever.
Suggestions
Replace the API development instructions with actual security scanning workflows: specific tools (OWASP ZAP, Burp Suite, nuclei), vulnerability categories to check, and detection techniques
Add concrete, executable examples showing how to detect specific vulnerabilities like SQL injection, broken authentication, or sensitive data exposure
Include a clear security scanning workflow with validation steps: enumerate endpoints → test authentication → check for injection → verify data exposure → report findings
Remove irrelevant prerequisites about 'Development environment with necessary frameworks' and replace with security scanning tool requirements
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is padded with generic boilerplate that doesn't teach API security scanning. It explains prerequisites Claude already knows and includes irrelevant sections about API development rather than security vulnerability detection. | 1 / 3 |
Actionability | No concrete security scanning commands, vulnerability detection code, or specific examples of how to identify injection, broken auth, or data exposure vulnerabilities. Instructions describe API development, not security scanning. | 1 / 3 |
Workflow Clarity | The numbered steps are for building APIs, not scanning them for vulnerabilities. There's no workflow for security scanning, no validation checkpoints for vulnerability detection, and the steps don't match the skill's stated purpose. | 1 / 3 |
Progressive Disclosure | References to external files (implementation.md, errors.md, examples.md) are present and one-level deep, but the main content is poorly organized and the references point to generic API development content rather than security scanning specifics. | 2 / 3 |
Total | 5 / 12 Passed |
Activation
90%This is a solid skill description with excellent trigger term coverage and completeness. The explicit 'Use when' and 'Trigger with phrases' clauses make it very clear when Claude should select this skill. The main weakness is that the capability description could be more specific about what concrete actions the skill performs beyond detection.
Suggestions
Expand the capabilities to include specific actions like 'generates security reports', 'identifies OWASP Top 10 issues', or 'provides remediation recommendations' to improve specificity.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (API security) and lists some vulnerability types (injection, broken auth, data exposure), but doesn't describe concrete actions beyond 'detect' - missing specifics like how it scans, what outputs it produces, or what remediation it offers. | 2 / 3 |
Completeness | Clearly answers both what (detect API security vulnerabilities including specific types) and when (explicit 'Use when' clause plus 'Trigger with phrases' providing concrete examples of when to activate). | 3 / 3 |
Trigger Term Quality | Explicitly includes natural trigger phrases users would say: 'scan API security', 'check for vulnerabilities', 'audit API security'. Also includes relevant technical terms like 'injection', 'broken auth', 'data exposure' that users might mention. | 3 / 3 |
Distinctiveness Conflict Risk | Clearly scoped to API security specifically, with distinct triggers like 'scan API security' and 'audit API security'. Unlikely to conflict with general code review, web security, or other security-adjacent skills due to the API-specific focus. | 3 / 3 |
Total | 11 / 12 Passed |
Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.