pt-web-application-assessment
Performs authorized web application and API penetration testing with focus on OWASP-style risks and business logic flaws. Use when assessing websites, web APIs, authentication flows, session handling, and input validation.
79
67%
Does it follow best practices?
Impact
100%
1.51xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/pt-web-application-assessment/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly defines its scope (web app and API pentesting), lists specific capability areas (OWASP risks, business logic flaws, authentication, session handling, input validation), and includes an explicit 'Use when' clause with natural trigger terms. It uses proper third-person voice and is concise without being vague.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions and domains: 'OWASP-style risks', 'business logic flaws', 'authentication flows', 'session handling', 'input validation'. These are concrete, well-defined security testing areas. | 3 / 3 |
Completeness | Clearly answers both what ('Performs authorized web application and API penetration testing with focus on OWASP-style risks and business logic flaws') and when ('Use when assessing websites, web APIs, authentication flows, session handling, and input validation') with an explicit 'Use when' clause. | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'penetration testing', 'web application', 'API', 'OWASP', 'authentication flows', 'session handling', 'input validation', 'websites', 'web APIs'. Good coverage of terms a security professional would use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche — web application and API penetration testing is a specific domain unlikely to conflict with general coding, document processing, or other skills. The focus on OWASP, business logic flaws, and security-specific triggers makes it clearly distinguishable. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
35%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads more like a high-level penetration testing methodology outline than an actionable skill for Claude. It effectively categorizes what should be tested but provides almost no concrete guidance on how—no specific tools, commands, payloads, or code examples. The workflow structure is reasonable but would benefit from validation checkpoints and concrete examples of each testing category.
Suggestions
Add concrete, executable examples for each testing category—e.g., specific curl commands for testing IDOR, example payloads for XSS/injection testing, or tool invocations (Burp, ffuf, sqlmap) with actual command-line syntax.
Include at least one worked example showing a complete finding from discovery through PoC to remediation, with real endpoint patterns and evidence formatting.
Add validation checkpoints within the workflow, such as 'Verify scope coverage before proceeding to exploitation' or 'Confirm authorization for each endpoint before testing.'
Break out detailed technique guides into referenced files (e.g., AUTH_TESTING.md, INJECTION_TESTING.md) and keep SKILL.md as a concise overview with navigation links.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is reasonably efficient and doesn't over-explain concepts Claude already knows, but some sections like 'Objectives' are somewhat generic and could be trimmed. The workflow steps are descriptive rather than padded, though they read more like a checklist of categories than actionable instructions. | 2 / 3 |
Actionability | The skill provides abstract categories and checklists (e.g., 'Test control families: Authentication and session management') but lacks any concrete commands, tool usage, specific payloads, code snippets, or executable examples. It describes what to test but not how to test it. | 1 / 3 |
Workflow Clarity | The workflow has a clear 5-step sequence from mapping to remediation, but lacks validation checkpoints and feedback loops. There's no guidance on what to do when a step fails, no explicit verification between steps, and the 'Quality Checks' section is a post-hoc checklist rather than integrated validation. | 2 / 3 |
Progressive Disclosure | The content is organized into clear sections with headers, but everything is inline in a single file with no references to supplementary materials. For a topic this broad (covering auth, injection, XSS, business logic, API testing), detailed technique guides or tool-specific references would improve navigation and reduce the need to pack everything into one file. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- santosomar/ethical-hacking-agent-skills
- Commit
9976e81
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.