api-fuzzing-bug-bounty

This skill should be used when the user asks to "test API security", "fuzz APIs", "find IDOR vulnerabilities", "test REST API", "test GraphQL", "API penetration testing", "bug b...

Install with Tessl CLI

npx tessl i github:sickn33/antigravity-awesome-skills --skill api-fuzzing-bug-bounty

What are skills?

Quality

68%

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

Optimize this skill with Tessl

npx tessl skill review --optimize ./skills/api-fuzzing-bug-bounty/SKILL.md

SKILL.md

Review

Evals

Discovery

72%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This description excels at trigger term coverage and distinctiveness, providing excellent keywords that users would naturally say when needing API security testing. However, it inverts the typical structure by focusing almost entirely on 'when to use' triggers rather than describing what the skill actually does (its capabilities, outputs, or methodology). The truncation also suggests the description may be overly long.

Suggestions

Add a clear 'what it does' statement at the beginning describing concrete capabilities (e.g., 'Performs automated security testing on APIs including authentication bypass detection, injection testing, and rate limit analysis').

Restructure to lead with capabilities, then follow with 'Use when...' clause containing the trigger terms, rather than making the entire description a list of triggers.

Dimension	Reasoning	Score
Specificity	The description mentions specific domains (REST API, GraphQL, IDOR vulnerabilities) and actions (test, fuzz, penetration testing), but the truncation prevents seeing if it lists comprehensive concrete actions beyond these trigger phrases.	2 / 3
Completeness	The description focuses heavily on 'when' triggers ('should be used when the user asks to...') but the 'what does this do' component is weak - it lists trigger phrases rather than describing the skill's actual capabilities and outputs.	2 / 3
Trigger Term Quality	Excellent coverage of natural trigger terms users would actually say: 'test API security', 'fuzz APIs', 'find IDOR vulnerabilities', 'test REST API', 'test GraphQL', 'API penetration testing', 'bug b...' (likely 'bug bounty'). These are realistic phrases users would naturally use.	3 / 3
Distinctiveness Conflict Risk	Highly distinctive with clear niche focus on API security testing. The specific terms (IDOR, GraphQL, REST API, fuzzing, penetration testing) create a clear domain that is unlikely to conflict with general coding or document skills.	3 / 3
	Total	10 / 12 Passed

Implementation

64%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a highly actionable API fuzzing reference with excellent concrete payloads and techniques. The main weaknesses are its monolithic structure (could benefit from splitting into focused sub-documents) and lack of explicit validation/verification steps in the workflow. The content assumes Claude's competence appropriately but could be more concise in places.

Suggestions

Add explicit validation checkpoints after each testing step (e.g., 'Verify vulnerability by checking for X response pattern before proceeding')

Split into separate files: GRAPHQL.md for GraphQL-specific content, TOOLS.md for tool references, keeping SKILL.md as a concise overview with navigation

Remove explanatory sentences like 'Insecure Direct Object Reference is the most common API vulnerability' - Claude knows what IDOR is

Dimension	Reasoning	Score
Conciseness	The skill is fairly comprehensive but includes some unnecessary explanatory text (e.g., 'Insecure Direct Object Reference is the most common API vulnerability'). The tables and quick references are efficient, but some sections could be tightened.	2 / 3
Actionability	Excellent actionability with copy-paste ready commands, specific payloads, concrete GraphQL queries, and executable curl examples. Every technique includes actual test payloads rather than abstract descriptions.	3 / 3
Workflow Clarity	Steps are numbered and sequenced (Steps 1-5), but lacks explicit validation checkpoints and feedback loops. For security testing involving potentially destructive operations, there's no guidance on verifying successful exploitation or handling false positives.	2 / 3
Progressive Disclosure	Content is well-organized with clear sections and tables, but it's a monolithic 300+ line document. The extensive tool references and GraphQL-specific content could be split into separate files with clear navigation links.	2 / 3
	Total	9 / 12 Passed

Validation

90%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 10 / 11 Passed

Validation for skill structure

Criteria	Description	Result
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning

	Total	10 / 11 Passed

Reviewed: about 23 hours ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.