scanning-api-security
Detect API security vulnerabilities including injection, broken auth, and data exposure. Use when scanning APIs for security vulnerabilities. Trigger with phrases like "scan API security", "check for vulnerabilities", or "audit API security".
65
58%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/api-development/api-security-scanner/skills/scanning-api-security/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a reasonably well-structured description with explicit trigger guidance and a clear 'Use when' clause. Its main weakness is that the capability description is somewhat shallow—listing vulnerability categories without detailing what concrete actions the skill performs (e.g., scanning endpoints, generating reports, suggesting remediations). The trigger terms are strong but the distinctiveness could be improved by being more specific about the skill's unique approach.
Suggestions
Add more specific concrete actions beyond 'detect', such as 'scans API endpoints, generates vulnerability reports, suggests remediation steps' to improve specificity.
Differentiate from general security/code review skills by specifying the type of APIs (REST, GraphQL) or standards followed (OWASP API Top 10) to reduce conflict risk.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (API security) and lists some vulnerability categories (injection, broken auth, data exposure), but doesn't describe concrete actions beyond 'detect'. It lacks specifics about what the skill actually does (e.g., generates reports, suggests fixes, scans endpoints). | 2 / 3 |
Completeness | Clearly answers both 'what' (detect API security vulnerabilities including injection, broken auth, data exposure) and 'when' (explicit 'Use when' clause and 'Trigger with phrases' providing concrete trigger guidance). | 3 / 3 |
Trigger Term Quality | Includes good natural trigger terms: 'scan API security', 'check for vulnerabilities', 'audit API security', plus domain terms like 'injection', 'broken auth', 'data exposure'. These are phrases users would naturally say. | 3 / 3 |
Distinctiveness Conflict Risk | Focuses on API security specifically which helps, but 'check for vulnerabilities' is broad enough to potentially overlap with general security scanning or code review skills. The API focus provides some distinction but could conflict with broader security audit tools. | 2 / 3 |
Total | 10 / 12 Passed |
Implementation
35%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads more like a security audit knowledge base than an actionable skill for Claude. It explains many concepts Claude already understands (OWASP categories, injection types, CORS) without providing the concrete grep patterns, code snippets, or executable commands needed to actually perform the scan. The structure is reasonable with external file references, but the main file is too verbose and the referenced bundle files don't exist.
Suggestions
Replace descriptive steps with concrete, executable commands — e.g., provide actual grep/ripgrep patterns for detecting raw SQL concatenation, missing auth middleware, wildcard CORS, and direct ORM pass-through.
Remove explanations of security concepts Claude already knows (what BOLA is, what mass assignment is, how CORS works) and replace with terse detection patterns and fix templates.
Add validation checkpoints within the workflow, such as 'After step 3, confirm BOLA findings by checking if any flagged endpoints have ownership verification in a different middleware layer before marking as vulnerable.'
Provide the referenced bundle files (implementation.md, errors.md, examples.md) or move the inline error table and examples into those files to reduce the main skill's token footprint.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is verbose and explains many concepts Claude already knows well (OWASP Top 10 categories, what BOLA is, what mass assignment is, how CORS works). The error handling table, examples section, and prerequisites all contain explanatory content that doesn't add actionable value. Much of this reads like a security textbook rather than targeted instructions. | 1 / 3 |
Actionability | The instructions provide a reasonable checklist of what to look for, but lack concrete executable code, specific grep patterns, actual commands to run, or copy-paste-ready scripts. Steps like 'Scan all route definitions using Grep' don't provide the actual grep commands or patterns. No concrete code examples for detecting any of the vulnerability types mentioned. | 2 / 3 |
Workflow Clarity | Steps are listed in a logical sequence (inventory → auth audit → BOLA → data exposure → etc.), but there are no validation checkpoints or feedback loops. For a security scanning workflow that could produce false positives/negatives, there's no explicit verify-and-iterate cycle within the main workflow. The error handling table partially compensates but is separate from the workflow. | 2 / 3 |
Progressive Disclosure | References to external files (implementation.md, errors.md, examples.md) are present and clearly signaled, which is good structure. However, no bundle files actually exist to support these references, and the main SKILL.md contains substantial inline content (error handling table, examples) that could have been offloaded to those referenced files, making the overview bloated. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
3a2d27d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.