pt-web-application-assessment
Performs authorized web application and API penetration testing with focus on OWASP-style risks and business logic flaws. Use when assessing websites, web APIs, authentication flows, session handling, and input validation.
91
86%
Does it follow best practices?
Impact
100%
1.51xAverage score across 3 eval scenarios
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted skill description that excels across all dimensions. It uses third person voice correctly, provides specific security testing capabilities, includes a clear 'Use when...' clause with natural trigger terms, and occupies a distinct niche that won't conflict with other skills. The combination of technical terms (OWASP, penetration testing) with practical contexts (websites, APIs, authentication) makes it highly discoverable.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'penetration testing', 'OWASP-style risks', 'business logic flaws', 'authentication flows', 'session handling', and 'input validation' - all concrete security testing activities. | 3 / 3 |
Completeness | Clearly answers both what ('Performs authorized web application and API penetration testing with focus on OWASP-style risks and business logic flaws') and when ('Use when assessing websites, web APIs, authentication flows, session handling, and input validation') with explicit trigger guidance. | 3 / 3 |
Trigger Term Quality | Includes natural keywords users would say: 'web application', 'API', 'penetration testing', 'websites', 'web APIs', 'authentication', 'session handling', 'input validation', and 'OWASP' - covering both technical and common terminology. | 3 / 3 |
Distinctiveness Conflict Risk | Clear niche in security/penetration testing domain with distinct triggers like 'OWASP', 'penetration testing', 'business logic flaws' that are unlikely to conflict with general development or documentation skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
72%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is well-structured and concise, effectively outlining a web application assessment methodology without over-explaining concepts Claude already knows. However, it lacks concrete executable examples (specific test payloads, tool commands, or code snippets) that would make it immediately actionable, and the workflow could benefit from explicit validation checkpoints between testing phases.
Suggestions
Add concrete examples of test payloads or commands for key vulnerability classes (e.g., specific SQLi test strings, XSS vectors, or curl commands for auth bypass testing)
Include explicit validation checkpoints in the workflow, such as 'Verify scope coverage before proceeding to exploitation' or 'Confirm finding reproducibility before documenting'
Add a brief example of a completed finding entry in the output template to demonstrate expected detail level
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Content is lean and efficient with no unnecessary explanations. Every section serves a purpose and assumes Claude understands web security concepts, OWASP terminology, and testing methodologies. | 3 / 3 |
Actionability | Provides structured guidance and clear categories to test, but lacks concrete executable examples. No specific payloads, tool commands, or code snippets for testing injection, XSS, or auth bypass scenarios. | 2 / 3 |
Workflow Clarity | Steps are listed in logical sequence but lack explicit validation checkpoints between phases. No feedback loops for when tests fail or findings need verification before proceeding. | 2 / 3 |
Progressive Disclosure | Well-organized single file with clear sections. For a skill of this scope, the structure is appropriate with distinct workflow, output template, and quality checks sections without needing external references. | 3 / 3 |
Total | 10 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- santosomar/ethical-hacking-agent-skills
- Commit
a8ff73a
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.