api-fuzzing-bug-bounty
Provide comprehensive techniques for testing REST, SOAP, and GraphQL APIs during bug bounty hunting and penetration testing engagements. Covers vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors.
75
70%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Critical
Do not install without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/api-fuzzing-bug-bounty/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong description with excellent specificity and trigger term coverage for its security testing niche. The main weakness is the absence of an explicit 'Use when...' clause, which caps completeness at 2. Adding explicit trigger guidance would make this description excellent.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about API security testing, API pentesting, bug bounty API targets, or exploiting API vulnerabilities.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: testing REST/SOAP/GraphQL APIs, vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors. These are concrete, actionable capabilities. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with specific techniques and API types, but lacks an explicit 'Use when...' clause or equivalent trigger guidance. The when is only implied through context (bug bounty, pentesting engagements). | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'REST', 'SOAP', 'GraphQL', 'API', 'bug bounty', 'penetration testing', 'authentication bypass', 'IDOR'. These are terms security professionals naturally use when seeking this type of guidance. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: API security testing in bug bounty/pentest contexts. The combination of specific API types (REST, SOAP, GraphQL) with specific attack vectors (IDOR, auth bypass) makes it unlikely to conflict with general API development or other security skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
57%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill excels at actionability with concrete, executable payloads and commands across multiple API types and attack vectors. However, it suffers from being a monolithic document that should leverage progressive disclosure by splitting GraphQL testing, tools references, and bypass techniques into separate files. The workflow lacks validation checkpoints for confirming vulnerability findings, which is important for security testing accuracy.
Suggestions
Split the content into multiple files: move GraphQL-specific testing to GRAPHQL.md, tools reference to TOOLS.md, and bypass techniques to BYPASSES.md, with clear links from the main skill
Add validation/verification steps after each attack technique (e.g., how to confirm a true positive IDOR vs a false positive, how to verify SQLi is actually exploitable)
Remove the API Types Overview table and Inputs/Prerequisites section - Claude already knows REST/SOAP/GraphQL protocols and doesn't need this context
Remove the vacuous 'When to Use' section at the bottom which adds no value
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is fairly comprehensive but includes some unnecessary sections like the API Types Overview table (Claude knows this), the 'Inputs/Prerequisites' and 'Outputs/Deliverables' sections that add little value, and the 'When to Use' footer is vacuous. The tools reference table is extensive but could be trimmed or moved to a separate file. | 2 / 3 |
Actionability | The skill provides highly concrete, copy-paste ready payloads, commands, and examples across all attack vectors. Each technique includes specific request formats, URLs, and expected responses. The GraphQL introspection queries, IDOR bypass techniques, and injection payloads are all directly executable. | 3 / 3 |
Workflow Clarity | The 5-step workflow provides a reasonable sequence (recon → auth → IDOR → injection → methods), but lacks validation checkpoints between steps. There's no guidance on verifying findings, confirming true positives vs false positives, or feedback loops for when techniques fail. For security testing involving potentially destructive operations, this is a notable gap. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of content (~300+ lines) with no references to external files. The tools reference table, GraphQL-specific testing, and endpoint bypass techniques could each be separate files. Everything is inlined, making it a large single document that would consume significant context window. | 1 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- sickn33/antigravity-awesome-skills
- Commit
d739c8b
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.