api-fuzzing-bug-bounty
Provide comprehensive techniques for testing REST, SOAP, and GraphQL APIs during bug bounty hunting and penetration testing engagements. Covers vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors.
50
55%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Critical
Do not install without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/api-fuzzing-bug-bounty/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong description with excellent specificity and trigger term coverage for its security testing niche. It clearly lists concrete capabilities and uses natural terminology that security professionals would search for. The main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill over others.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about API security testing, API pentesting, finding API vulnerabilities, or testing endpoints for security issues.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: testing REST/SOAP/GraphQL APIs, vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors. These are concrete, actionable capabilities. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with specific techniques and API types, but lacks an explicit 'Use when...' clause or equivalent trigger guidance. The when is only implied through context (bug bounty, pentesting engagements). | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'REST', 'SOAP', 'GraphQL', 'API', 'bug bounty', 'penetration testing', 'authentication bypass', 'IDOR'. These are terms security professionals naturally use when seeking this type of guidance. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: API security testing in bug bounty/pentest contexts. The combination of specific API types (REST, SOAP, GraphQL) with specific attack vectors (IDOR, auth bypass) makes it unlikely to conflict with general coding or generic security skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
27%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads more like a comprehensive cheat sheet or reference document than a focused, actionable skill for Claude. While it contains genuinely useful payloads and techniques, it suffers from excessive verbosity, lack of progressive disclosure (everything in one file), and missing validation/verification steps critical for security testing workflows. The content would benefit significantly from being split into focused sub-files with SKILL.md serving as a concise overview and router.
Suggestions
Split content into separate files: move GraphQL testing, tool references, bypass techniques, and injection payloads into dedicated reference files, keeping SKILL.md as a concise workflow overview with links.
Remove sections that explain concepts Claude already knows (API Types Overview table, IDOR definition, Purpose/Inputs/Outputs boilerplate) to reduce token usage by ~30%.
Add explicit validation checkpoints: after each testing step, include how to verify findings are true positives (e.g., 'Confirm IDOR by comparing response data against known account data').
Replace the generic 'When to Use' section with specific trigger conditions (e.g., 'User asks to test an API endpoint for authorization flaws' or 'Target has GraphQL endpoint').
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~350+ lines, includes unnecessary sections like 'API Types Overview' table (Claude knows this), explains what IDOR is, lists extensive tool URLs that could be in a separate reference file, and includes a meaningless 'When to Use' section. The 'Purpose', 'Inputs/Prerequisites', and 'Outputs/Deliverables' sections restate obvious information. | 1 / 3 |
Actionability | Provides concrete payloads and commands that are useful (IDOR bypass techniques, GraphQL introspection queries, injection payloads), but many examples are incomplete or lack context—e.g., 'kr scan' without installation, 'json2paths.py' without source, SQL injection examples show responses but not how to automate testing. Much content is more of a cheat sheet than executable workflow guidance. | 2 / 3 |
Workflow Clarity | Steps 1-5 provide a reasonable sequence for API testing, but there are no validation checkpoints or feedback loops. No guidance on verifying findings, confirming true positives vs false positives, or documenting results systematically. For security testing involving potentially destructive operations, the lack of verification steps is a significant gap. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of text with no bundle files to offload content into. The tools reference table, GraphQL-specific testing, endpoint bypass techniques, and output exploitation sections could all be separate files. Everything is crammed into one massive document with no references to supporting files. | 1 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- sickn33/antigravity-awesome-skills
- Commit
45bad85
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.