scanning-api-security
Detect API security vulnerabilities including injection, broken auth, and data exposure. Use when scanning APIs for security vulnerabilities. Trigger with phrases like "scan API security", "check for vulnerabilities", or "audit API security".
68
62%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/api-development/api-security-scanner/skills/scanning-api-security/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a reasonably well-structured description with explicit trigger guidance and a clear 'Use when' clause. Its main weakness is that the capability description is somewhat surface-level — listing vulnerability categories without detailing specific actions or outputs — and the trigger terms could overlap with broader security scanning skills.
Suggestions
Add more specific concrete actions beyond 'detect', such as 'generates remediation recommendations', 'produces security reports', or 'tests API endpoints' to improve specificity.
Differentiate more clearly from general security scanning by specifying supported API types (REST, GraphQL, etc.) or referencing standards like OWASP API Top 10 to reduce conflict risk.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (API security) and lists some vulnerability categories (injection, broken auth, data exposure), but doesn't describe concrete actions beyond 'detect' — no mention of specific outputs, remediation suggestions, report generation, or supported API formats. | 2 / 3 |
Completeness | Clearly answers both 'what' (detect API security vulnerabilities including injection, broken auth, data exposure) and 'when' (explicit 'Use when' clause and 'Trigger with phrases' providing concrete activation guidance). | 3 / 3 |
Trigger Term Quality | Includes natural trigger phrases like 'scan API security', 'check for vulnerabilities', 'audit API security', plus domain terms like 'injection', 'broken auth', 'data exposure'. These are terms users would naturally use when seeking this capability. | 3 / 3 |
Distinctiveness Conflict Risk | The focus on API security vulnerabilities is fairly specific, but 'check for vulnerabilities' is broad enough to potentially overlap with general code security scanning, web application security, or network vulnerability skills. The API focus helps but isn't fully distinctive. | 2 / 3 |
Total | 10 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a well-organized framework for API security scanning with good progressive disclosure and reasonable workflow structure. However, its critical weakness is the complete lack of actionable, executable guidance — no grep patterns, no code snippets, no specific tool commands — making it read more like a checklist description than an operational skill Claude can execute. The content would benefit significantly from concrete examples showing exactly how to detect each vulnerability type.
Suggestions
Add concrete, executable code/command examples for each instruction step — e.g., specific grep patterns for finding unprotected routes, code snippets showing how to detect mass assignment, or exact nuclei/ZAP commands to run.
Include at least one complete worked example showing input (sample vulnerable code) and expected output (the security finding report format) so Claude knows exactly what to produce.
Add validation checkpoints between steps — e.g., 'After step 1, verify the endpoint inventory is complete by cross-referencing against the OpenAPI spec before proceeding to auth audit.'
Remove the Prerequisites section's assumption of tool familiarity (OWASP checklist familiarity) and instead embed the specific checks inline where they're needed.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is moderately verbose with some unnecessary elaboration. The overview restates what the instructions cover, the prerequisites list things Claude already knows (like OWASP familiarity), and the examples section describes scenarios without providing executable guidance. However, it's not egregiously padded. | 2 / 3 |
Actionability | Despite listing 9 steps, the instructions are entirely descriptive rather than executable. There are no concrete code snippets, grep patterns, specific commands, or copy-paste ready examples. Steps like 'Scan all route definitions using Grep' don't show what grep patterns to use, and 'Check for BOLA' doesn't show how to actually detect it in code. | 1 / 3 |
Workflow Clarity | The 9 steps provide a reasonable sequence for a security audit, and the error handling table adds useful troubleshooting guidance. However, there are no validation checkpoints, no feedback loops for when vulnerabilities are found, and no explicit decision points about when to proceed or stop. For a process involving security-critical analysis, the lack of verification steps is notable. | 2 / 3 |
Progressive Disclosure | The content is well-structured with clear sections (Overview, Prerequisites, Instructions, Output, Error Handling, Examples, Resources) and appropriately references external files (implementation.md, errors.md, examples.md) at one level deep with clear signaling. The main file serves as a good overview without being monolithic. | 3 / 3 |
Total | 8 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
3e83543
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.