api-security-hardening
tessl i github:secondsky/claude-skills --skill api-security-hardeningREST API security hardening with authentication, rate limiting, input validation, security headers. Use for production APIs, security audits, defense-in-depth, or encountering vulnerabilities, injection attacks, CORS issues.
Validation
75%| Criteria | Description | Result |
|---|---|---|
description_trigger_hint | Description may be missing an explicit 'when to use' trigger hint (e.g., 'Use when...') | Warning |
metadata_version | 'metadata' field is not a dictionary | Warning |
license_field | 'license' field is missing | Warning |
body_steps | No step-by-step structure detected (no ordered list); consider adding a simple workflow | Warning |
Total | 12 / 16 Passed | |
Implementation
88%This is a strong security hardening skill with excellent conciseness and actionability. The code examples are production-ready and cover multiple security layers effectively. The main weakness is the lack of explicit workflow guidance for implementing and validating these security measures in sequence.
Suggestions
Add a brief implementation order section (e.g., '1. Add helmet first, 2. Configure rate limiting, 3. Validate with curl/test requests') with verification steps
Include a simple validation command or test to verify security headers are properly set (e.g., 'curl -I https://yourapi.com | grep -i security')
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is lean and efficient, providing only actionable code examples without explaining what security headers are or why rate limiting matters. Every section delivers executable code without unnecessary preamble. | 3 / 3 |
Actionability | All code examples are fully executable and copy-paste ready with real library imports, concrete configuration values, and complete middleware implementations. The validation example shows a complete request handler pattern. | 3 / 3 |
Workflow Clarity | The skill presents security layers but lacks explicit sequencing for implementation order or validation checkpoints. The checklist is helpful but doesn't indicate how to verify each item is properly configured or provide feedback loops for testing security measures. | 2 / 3 |
Progressive Disclosure | Clear structure with main Express examples in the skill file and additional Python/Nginx implementations properly referenced in a separate file. The reference is one level deep and clearly signals what additional content is available. | 3 / 3 |
Total | 11 / 12 Passed |
Activation
100%This is a well-crafted skill description that excels across all dimensions. It provides specific security capabilities, uses natural developer terminology as trigger terms, explicitly states both what it does and when to use it, and carves out a distinct niche in REST API security that minimizes conflict with other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'authentication, rate limiting, input validation, security headers' - these are distinct, actionable security measures rather than vague concepts. | 3 / 3 |
Completeness | Clearly answers both what ('REST API security hardening with authentication, rate limiting, input validation, security headers') and when ('Use for production APIs, security audits, defense-in-depth, or encountering vulnerabilities, injection attacks, CORS issues'). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'security audit', 'vulnerabilities', 'injection attacks', 'CORS issues', 'production APIs', 'rate limiting' - these are terms developers naturally use when facing security concerns. | 3 / 3 |
Distinctiveness Conflict Risk | Clear niche focused specifically on REST API security with distinct triggers like 'security hardening', 'injection attacks', 'CORS issues' that wouldn't overlap with general API development or other security skills. | 3 / 3 |
Total | 12 / 12 Passed |
Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.