CtrlK
BlogDocsLog inGet started
Tessl Logo

scanning-api-security

Detect API security vulnerabilities including injection, broken auth, and data exposure. Use when scanning APIs for security vulnerabilities. Trigger with phrases like "scan API security", "check for vulnerabilities", or "audit API security".

74

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

87%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

A well-structured, lean security-audit skill with concrete actionable steps and clean one-level-deep references. The main gap is the absence of an explicit validation/verification checkpoint in the batch scanning workflow, which limits workflow clarity.

Suggestions

Add an explicit verification step (e.g., step 10: cross-check findings against the endpoint inventory to confirm every route was scanned, and review each Critical/High for false positives before writing the report) to give the batch workflow a validation checkpoint.

Realign references/implementation.md: it currently describes designing and building an API rather than implementing the security scan the body promises ('full implementation guide' for scanning), so the pointer misleads navigation.

Tighten the inline Error Handling table or move it fully into errors.md, since both currently carry scanner troubleshooting content and partially overlap.

DimensionReasoningScore

Conciseness

The body is lean: a one-sentence overview, tight one-line prerequisites, and nine concise instructional steps, with no explanation of concepts Claude already knows and every section earning its place.

3 / 3

Actionability

Each numbered step gives a concrete, specific check (e.g., verify BOLA ownership compares 'authenticated user's ID/role against the requested resource ownership', flag 'req.body passed directly to ORM create/update'), and executable code lives in examples.md — fully actionable guidance.

3 / 3

Workflow Clarity

Steps are clearly sequenced 1–9 and the error-handling table offers recovery guidance, but the batch scan over all routes has no explicit validation checkpoint confirming completeness or cross-checking findings, which caps this dimension at 2 per the batch-operation guideline.

2 / 3

Progressive Disclosure

Overview and core instructions sit inline while detail is split into clearly signaled, one-level-deep references (implementation.md, errors.md, examples.md), each verified to be a real leaf file with no nested pointer chains.

3 / 3

Total

11

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A well-crafted description that concisely states the capability, gives an explicit 'Use when' trigger, and lists natural trigger phrases in correct third-person voice. It cleanly satisfies all four dimensions with no fluff or over-claims.

DimensionReasoningScore

Specificity

Names the domain and multiple concrete detection targets — 'injection, broken auth, and data exposure' — matching the anchor for listing several specific concrete actions.

3 / 3

Completeness

Explicitly states both what ('Detect API security vulnerabilities including injection, broken auth, and data exposure') and when ('Use when scanning APIs for security vulnerabilities') with explicit trigger guidance.

3 / 3

Trigger Term Quality

Provides natural trigger phrases users would actually say — 'scan API security', 'check for vulnerabilities', or 'audit API security' — giving good coverage of likely phrasings.

3 / 3

Distinctiveness Conflict Risk

The 'API security' framing plus API-specific triggers carve a clear niche unlikely to fire for non-API security skills; voice is correctly third person with no first/second person.

3 / 3

Total

12

/

12

Passed

Validation

87%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation14 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

allowed_tools_field

'allowed-tools' contains unusual tool name(s)

Warning

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

14

/

16

Passed

Repository
jeremylongshore/claude-code-plugins-plus-skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.