api-fuzzing-bug-bounty

Provide comprehensive techniques for testing REST, SOAP, and GraphQL APIs during bug bounty hunting and penetration testing engagements. Covers vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors.

Quality

55%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Critical

Do not install without reviewing

Optimize this skill with Tessl

npx tessl skill review --optimize ./skills/api-fuzzing-bug-bounty/SKILL.md

Quality

Content

27%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This skill reads more like a comprehensive cheat sheet or reference document than a focused, actionable skill for Claude. While it contains genuinely useful payloads and techniques, it suffers from being monolithic, overly verbose, and lacking validation/verification steps. The content would benefit significantly from being split into a concise overview with references to detailed sub-files for each attack category.

Suggestions

Split the content into a concise SKILL.md overview (~50-80 lines) with references to separate files like GRAPHQL.md, IDOR.md, INJECTION.md, and TOOLS.md for detailed payloads and techniques.

Remove sections that explain concepts Claude already knows (API Types Overview table, IDOR definition, Purpose/Inputs/Outputs boilerplate, 'When to Use' section).

Add explicit validation checkpoints: how to confirm a finding is a true positive (e.g., 'If response contains different user data, IDOR confirmed'), and what constitutes sufficient evidence for a report.

Add a feedback loop for the core workflow: after each test category, include a step to document findings and verify exploitability before proceeding to the next category.

Dimension	Reasoning	Score
Conciseness	The skill is extremely verbose at ~350+ lines, includes unnecessary sections like 'API Types Overview' table (Claude knows this), explains what IDOR is, lists extensive tool URLs that could be in a separate reference file, and includes a meaningless 'When to Use' section. The 'Purpose', 'Inputs/Prerequisites', and 'Outputs/Deliverables' sections restate obvious information.	1 / 3
Actionability	Provides concrete payloads and example commands that are useful (IDOR bypass techniques, GraphQL introspection queries, SQL injection in JSON), but many examples are incomplete snippets rather than fully executable workflows. The payloads are copy-paste ready but lack context on how to interpret results or chain attacks together.	2 / 3
Workflow Clarity	Steps 1-5 provide a reasonable sequence for API testing, but there are no validation checkpoints or feedback loops. There's no guidance on verifying findings, confirming true positives vs false positives, or what to do when a step fails beyond the basic troubleshooting table. For security testing involving potentially destructive operations, this lack of verification is a significant gap.	2 / 3
Progressive Disclosure	This is a monolithic wall of content with no references to external files despite being well over 300 lines. The tools reference table, detailed GraphQL testing, endpoint bypass techniques, and PDF export attacks could all be separate reference files. Everything is crammed into a single document with no layered navigation.	1 / 3
	Total	6 / 12 Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a strong description with excellent specificity and trigger term coverage for its security testing niche. It clearly lists concrete capabilities and uses natural terminology that security professionals would search for. The main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill.

Suggestions

Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about API security testing, API pentesting, bug bounty API targets, or exploiting API vulnerabilities.'

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions: testing REST/SOAP/GraphQL APIs, vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors. These are concrete, actionable capabilities.	3 / 3
Completeness	Clearly answers 'what does this do' with specific techniques and API types, but lacks an explicit 'Use when...' clause or equivalent trigger guidance. The when is only implied through context (bug bounty, pentesting engagements).	2 / 3
Trigger Term Quality	Includes strong natural keywords users would say: 'REST', 'SOAP', 'GraphQL', 'API', 'bug bounty', 'penetration testing', 'authentication bypass', 'IDOR'. These are terms security professionals naturally use when seeking this type of guidance.	3 / 3
Distinctiveness Conflict Risk	Highly distinctive with a clear niche: API security testing in bug bounty/pentest contexts. The combination of specific API types (REST, SOAP, GraphQL) with specific attack vectors (IDOR, auth bypass) makes it unlikely to conflict with general coding or generic security skills.	3 / 3
	Total	11 / 12 Passed

Validation

90%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 10 / 11 Passed

Validation for skill structure

Criteria	Description	Result
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning

	Total	10 / 11 Passed

Repository: sickn33/antigravity-awesome-skills
Commit: d89c349

Reviewed: 3 days ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.