CtrlK
BlogDocsLog inGet started
Tessl Logo

x-api-pentest

Use when the user provides an OpenAPI or Swagger spec and asks to find security issues, pentest the API, audit endpoints for OWASP API Top 10, or check for BOLA, BFLA, mass assignment, injection, or SSRF vulnerabilities in a running HTTP API

80

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Critical

Do not install without reviewing

SKILL.md
Quality
Evals
Security

Quality

Content

100%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

A well-engineered orchestration skill: lean, actionably concrete, with an explicit checkpointed workflow and clean one-level-deep reference structure. The one structural weakness is that the workflow's step files (steps/step-01..06), gotchas.md, and ../x-shared/* are referenced but not present in the bundle.

Suggestions

Ship the referenced steps/step-01-recon.md through steps/step-06-report.md inside the bundle — they are the actual executable workflow the body defers to, and their absence breaks navigation from 'Start with step 1 now'.

Include gotchas.md in the bundle (or inline its Noise Filters) since the bootstrap and Red Flags sections depend on it but it is not present.

Verify ../x-shared/capability-loading.md and ../x-shared/severity-guide.md resolve from the skill's install location, or inline the capability-pinning and severity essentials so the skill is self-contained.

DimensionReasoningScore

Conciseness

Lean orchestration overview with terse pointers and no explanation of concepts Claude already knows; every section earns its place (bootstrap, scope, workflow, red flags).

3 / 3

Actionability

Concrete config keys (safety.require_target_confirmation, safety.allowed_target_patterns), exact tool list, and specific safety flags (cap_drop: ALL, no-new-privileges) give executable guidance even without inline code blocks.

3 / 3

Workflow Clarity

Numbered bootstrap (0–4) plus a 6-step workflow with explicit halt/checkpoint gates, a Red Flags stop list, and blind re-verification of Critical/High findings before completion.

3 / 3

Progressive Disclosure

Overview body points to well-signaled one-level-deep references/ files, each with a one-line description; content is appropriately split for easy navigation.

3 / 3

Total

12

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A strong, specific description with an explicit 'Use when' trigger, concrete named actions, and natural user vocabulary. Third-person voice is preserved and it is clearly distinguishable from sibling security skills.

DimensionReasoningScore

Specificity

Lists multiple concrete actions — 'find security issues, pentest the API, audit endpoints for OWASP API Top 10, or check for BOLA, BFLA, mass assignment, injection, or SSRF vulnerabilities' — rather than vague language.

3 / 3

Completeness

Explicitly answers both what (find/pentest/audit/check vulnerabilities) and when via an explicit 'Use when the user provides an OpenAPI or Swagger spec and asks...' trigger clause.

3 / 3

Trigger Term Quality

Covers natural terms a user would say ('security issues', 'pentest the API', 'audit endpoints', 'OWASP API Top 10', named vuln classes); not just technical jargon.

3 / 3

Distinctiveness Conflict Risk

Clear niche — OpenAPI/Swagger-spec-driven dynamic API pentesting — with distinct triggers unlikely to fire for static review or secret-scanning skills.

3 / 3

Total

12

/

12

Passed

Validation

100%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation16 / 16 Passed

Validation for skill structure

No warnings or errors.

Repository
quangtran88/x-skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.