pt-fuzzing-web-api
Performs authorized fuzzing of web applications and APIs to discover input validation failures, parser bugs, and stability issues. Use when testing HTTP endpoints, request parameters, payload handling, and error behavior under malformed or unexpected inputs.
79
67%
Does it follow best practices?
Impact
99%
1.41xAverage score across 3 eval scenarios
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/pt-fuzzing-web-api/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted skill description that clearly defines its scope (fuzzing web applications and APIs), lists specific outcomes (input validation failures, parser bugs, stability issues), and provides explicit trigger guidance with natural keywords. It uses proper third-person voice and is concise without being vague. The description would perform well in a large skill library due to its distinct niche focus.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'fuzzing of web applications and APIs', 'discover input validation failures, parser bugs, and stability issues', and mentions testing of 'HTTP endpoints, request parameters, payload handling, and error behavior under malformed or unexpected inputs'. | 3 / 3 |
Completeness | Clearly answers both 'what' (performs fuzzing to discover input validation failures, parser bugs, stability issues) and 'when' (explicit 'Use when testing HTTP endpoints, request parameters, payload handling, and error behavior under malformed or unexpected inputs'). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'fuzzing', 'web applications', 'APIs', 'input validation', 'HTTP endpoints', 'request parameters', 'payload handling', 'malformed inputs', 'error behavior'. These cover the domain well with terms a security tester would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Fuzzing is a very specific security testing niche. The description clearly targets malformed/unexpected input testing for web apps and APIs, which is distinct from general security scanning, penetration testing, or other testing skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
35%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads as a high-level methodology document rather than an actionable skill for Claude. Its biggest weakness is the complete absence of concrete, executable guidance—no tool names, no example commands, no sample payloads or code. The workflow structure is reasonable but remains abstract, and the output template is a useful addition but doesn't compensate for the lack of actionability.
Suggestions
Add concrete tool usage examples (e.g., ffuf, curl, or Python requests) with executable commands and sample mutation payloads that Claude can directly adapt and run.
Include specific example fuzzing payloads for common mutation strategies (e.g., boundary-length strings, type confusion inputs, encoding variations) rather than just naming the categories.
Add explicit stop-condition checks within the execution step as a feedback loop, e.g., 'If 5xx rate exceeds 10%, pause and reduce concurrency before continuing.'
Provide at least one complete worked example showing a target endpoint, the fuzzing command used, the anomalous response observed, and the resulting finding report.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is reasonably efficient and doesn't over-explain basic concepts, but some sections like the objectives and workflow steps are somewhat generic and could be tightened. Phrases like 'Produce reproducible cases and actionable remediation guidance' are vague filler rather than precise instruction. | 2 / 3 |
Actionability | The skill provides no concrete code, commands, tool names, or executable examples. It reads as a high-level process description rather than actionable guidance—there are no specific fuzzing tools (e.g., ffuf, wfuzz, Burp), no example curl commands, no sample mutation payloads, and no concrete code snippets Claude could execute. | 1 / 3 |
Workflow Clarity | The workflow has a clear 5-step sequence with logical ordering and includes a validation/triage step (step 4). However, the steps lack explicit validation checkpoints with concrete commands, and there's no feedback loop for error recovery during the fuzzing execution phase itself (e.g., what to do when a stop condition is hit). | 2 / 3 |
Progressive Disclosure | The content is reasonably well-structured with clear sections (workflow, output template, quality checks), but it's a monolithic file with no references to supplementary materials. The output template and mutation strategies could benefit from being linked to separate detailed references (e.g., a payload dictionary file or mutation strategy guide). | 2 / 3 |
Total | 7 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- santosomar/ethical-hacking-agent-skills
- Commit
9976e81
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.