api-security-hardening

REST API security hardening with authentication, rate limiting, input validation, security headers. Use for production APIs, security audits, defense-in-depth, or encountering vulnerabilities, injection attacks, CORS issues.

1.39x

Quality

89%

Does it follow best practices?

Impact

89%

1.39x

Average score across 3 eval scenarios

Securityby

Passed

No known issues

Quality

Content

79%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a solid, actionable skill with clean, executable code examples that respect Claude's intelligence. Its main weaknesses are the lack of verification/testing steps for the security measures being implemented and a referenced file (python-nginx.md) that doesn't appear to exist in the bundle. The content would benefit from explicit validation checkpoints to confirm security hardening is working correctly.

Suggestions

Add verification steps after each security implementation (e.g., 'Test rate limiting: `curl -X POST http://localhost:3000/api/auth/login` 6 times rapidly—6th should return 429')

Either provide the referenced python-nginx.md bundle file or remove the reference to avoid broken navigation

Dimension	Reasoning	Score
Conciseness	The content is lean and efficient. It jumps straight into executable code without explaining what security headers are or why rate limiting matters—things Claude already knows. Every section delivers actionable content without padding.	3 / 3
Actionability	All code examples are fully executable, copy-paste ready Express.js middleware configurations. The input validation, security headers, and rate limiting sections provide concrete, working code with specific library imports and configurations.	3 / 3
Workflow Clarity	The security checklist provides a good overview of what needs to be done, but there's no explicit sequencing of implementation steps or validation checkpoints. For security hardening—a domain where verification is critical—there are no steps to test/verify that security measures are working (e.g., testing rate limits, validating headers with curl).	2 / 3
Progressive Disclosure	The reference to python-nginx.md is well-signaled and one level deep, which is good. However, the bundle files indicate no bundle was provided, meaning the referenced file doesn't exist. The main content is also somewhat monolithic—the Express middleware stack, input validation, and security headers could potentially be better organized with clearer navigation signals.	2 / 3
	Total	10 / 12 Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a strong skill description that concisely covers specific capabilities (authentication, rate limiting, input validation, security headers) and provides explicit trigger guidance for when to use it. The trigger terms are natural and varied, covering both proactive scenarios (production APIs, security audits) and reactive ones (vulnerabilities, injection attacks, CORS issues). It uses proper third-person voice and is well-scoped to avoid conflicts with other skills.

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions: authentication, rate limiting, input validation, security headers. These are distinct, well-defined security capabilities rather than vague abstractions.	3 / 3
Completeness	Clearly answers both what ('REST API security hardening with authentication, rate limiting, input validation, security headers') and when ('Use for production APIs, security audits, defense-in-depth, or encountering vulnerabilities, injection attacks, CORS issues').	3 / 3
Trigger Term Quality	Includes strong natural keywords users would say: 'security hardening', 'rate limiting', 'input validation', 'security headers', 'vulnerabilities', 'injection attacks', 'CORS issues', 'security audits', 'production APIs'. Good coverage of terms across different user intents.	3 / 3
Distinctiveness Conflict Risk	Clearly scoped to REST API security hardening specifically, with distinct triggers like 'injection attacks', 'CORS issues', 'rate limiting', and 'security headers' that are unlikely to conflict with general coding or non-security API skills.	3 / 3
	Total	12 / 12 Passed

Validation

100%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 11 / 11 Passed

Validation for skill structure

No warnings or errors.

Repository: secondsky/claude-skills
Commit: 5e92b71

Reviewed: about 1 month ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.