api-security-hardening
REST API security hardening with authentication, rate limiting, input validation, security headers. Use for production APIs, security audits, defense-in-depth, or encountering vulnerabilities, injection attacks, CORS issues.
93
93%
Does it follow best practices?
Impact
89%
1.39xAverage score across 3 eval scenarios
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that concisely covers specific capabilities (authentication, rate limiting, input validation, security headers) and provides explicit trigger conditions for when to use it. It uses third person voice appropriately and includes a rich set of natural keywords that developers would use when seeking API security help. The description is well-structured, distinct, and complete.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: authentication, rate limiting, input validation, security headers. These are distinct, actionable security hardening techniques rather than vague abstractions. | 3 / 3 |
Completeness | Clearly answers both what ('REST API security hardening with authentication, rate limiting, input validation, security headers') and when ('Use for production APIs, security audits, defense-in-depth, or encountering vulnerabilities, injection attacks, CORS issues'). Has an explicit 'Use for...' clause with trigger scenarios. | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'security', 'rate limiting', 'input validation', 'security headers', 'vulnerabilities', 'injection attacks', 'CORS issues', 'security audits', 'production APIs'. Good coverage of terms a developer would naturally use when seeking API security help. | 3 / 3 |
Distinctiveness Conflict Risk | Clearly scoped to REST API security hardening specifically, with distinct triggers like 'injection attacks', 'CORS issues', 'rate limiting', and 'security headers' that are unlikely to conflict with general coding skills or non-security API skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
87%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong, actionable skill with executable code examples and efficient use of tokens. It covers multiple security layers concisely and uses progressive disclosure well by deferring Python/Nginx content to a reference file. The main weakness is the lack of verification steps—there's no guidance on how to confirm the security measures are working correctly (e.g., testing headers with curl, verifying rate limits), which is important for security-critical operations.
Suggestions
Add a brief verification section showing how to confirm security measures are active (e.g., `curl -I https://api.example.com` to check headers, or testing rate limit responses).
Consider adding a recommended implementation order or noting that middleware ordering matters in Express (e.g., helmet before routes, rate limiting early in the stack).
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is lean and efficient. No unnecessary explanations of what security headers are or why rate limiting matters—it jumps straight to executable code. The checklist and 'Never Do' sections are terse and valuable. | 3 / 3 |
Actionability | All code examples are fully executable, copy-paste ready Express.js middleware with specific library imports, concrete configuration values, and real validation rules. The security checklist provides concrete verification items. | 3 / 3 |
Workflow Clarity | The content presents security layers as independent middleware blocks but lacks a clear sequencing workflow for implementation order, and there are no validation/verification steps (e.g., how to test that headers are correctly set, or how to verify rate limiting is working). For security hardening—a domain where misconfiguration can be destructive—the absence of verification steps is notable. | 2 / 3 |
Progressive Disclosure | The main file provides a concise overview with executable examples for the primary stack (Express), and clearly signals a one-level-deep reference to python-nginx.md for alternative implementations. Content is well-organized into logical sections. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- secondsky/claude-skills
- Commit
88da5ff
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.