pt-web-application-assessment

Performs authorized web application and API penetration testing with focus on OWASP-style risks and business logic flaws. Use when assessing websites, web APIs, authentication flows, session handling, and input validation.

1.51x

Quality

67%

Does it follow best practices?

Impact

100%

1.51x

Average score across 3 eval scenarios

Securityby

Passed

No known issues

Fix and improve this skill with Tessl

tessl review fix ./skills/pt-web-application-assessment/SKILL.md

Quality

Content

35%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This skill reads more like a high-level penetration testing methodology outline than an actionable skill for Claude. It effectively categorizes what should be tested but provides almost no concrete guidance on how—no specific tools, commands, payloads, or code examples. The workflow structure is reasonable but would benefit from validation checkpoints and concrete examples of each testing category.

Suggestions

Add concrete, executable examples for each testing category—e.g., specific curl commands for testing IDOR, example payloads for XSS/injection testing, or tool invocations (Burp, ffuf, sqlmap) with actual command-line syntax.

Include at least one worked example showing a complete finding from discovery through PoC to remediation, with real endpoint patterns and evidence formatting.

Add validation checkpoints within the workflow, such as 'Verify scope coverage before proceeding to exploitation' or 'Confirm authorization for each endpoint before testing.'

Break out detailed technique guides into referenced files (e.g., AUTH_TESTING.md, INJECTION_TESTING.md) and keep SKILL.md as a concise overview with navigation links.

Dimension	Reasoning	Score
Conciseness	The content is reasonably efficient and doesn't over-explain concepts Claude already knows, but some sections like 'Objectives' are somewhat generic and could be trimmed. The workflow steps are descriptive rather than padded, though they read more like a checklist of categories than actionable instructions.	2 / 3
Actionability	The skill provides abstract categories and checklists (e.g., 'Test control families: Authentication and session management') but lacks any concrete commands, tool usage, specific payloads, code snippets, or executable examples. It describes what to test but not how to test it.	1 / 3
Workflow Clarity	The workflow has a clear 5-step sequence from mapping to remediation, but lacks validation checkpoints and feedback loops. There's no guidance on what to do when a step fails, no explicit verification between steps, and the 'Quality Checks' section is a post-hoc checklist rather than integrated validation.	2 / 3
Progressive Disclosure	The content is organized into clear sections with headers, but everything is inline in a single file with no references to supplementary materials. For a topic this broad (covering auth, injection, XSS, business logic, API testing), detailed technique guides or tool-specific references would improve navigation and reduce the need to pack everything into one file.	2 / 3
	Total	7 / 12 Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a strong skill description that clearly defines its scope (web app and API pentesting), lists specific capability areas (OWASP risks, business logic flaws, authentication, session handling, input validation), and includes an explicit 'Use when' clause with natural trigger terms. It uses proper third-person voice and is concise without being vague.

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions and domains: 'OWASP-style risks', 'business logic flaws', 'authentication flows', 'session handling', 'input validation'. These are concrete, well-defined security testing areas.	3 / 3
Completeness	Clearly answers both what ('Performs authorized web application and API penetration testing with focus on OWASP-style risks and business logic flaws') and when ('Use when assessing websites, web APIs, authentication flows, session handling, and input validation') with an explicit 'Use when' clause.	3 / 3
Trigger Term Quality	Includes strong natural keywords users would say: 'penetration testing', 'web application', 'API', 'OWASP', 'authentication flows', 'session handling', 'input validation', 'websites', 'web APIs'. Good coverage of terms a security professional would use.	3 / 3
Distinctiveness Conflict Risk	Highly distinctive niche — web application and API penetration testing is a specific domain unlikely to conflict with general coding, document processing, or other skills. The focus on OWASP, business logic flaws, and security-specific triggers makes it clearly distinguishable.	3 / 3
	Total	12 / 12 Passed

Validation

100%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 11 / 11 Passed

Validation for skill structure

No warnings or errors.

Repository: santosomar/ethical-hacking-agent-skills
Commit: 9976e81

Reviewed: 2 months ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.