api-security-best-practices

Implement secure API design patterns including authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities

1.17x

Quality

37%

Does it follow best practices?

Impact

100%

1.17x

Average score across 3 eval scenarios

Securityby

Passed

No known issues

Optimize this skill with Tessl

npx tessl skill review --optimize ./plugins/antigravity-awesome-skills-claude/skills/api-security-best-practices/SKILL.md

Quality

Content

42%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The skill provides genuinely useful, executable code examples for API security patterns, which is its primary strength. However, it is massively over-length and verbose, explaining many concepts Claude already knows (what SQL injection is, why HTTPS matters, what rate limiting prevents). The entire content is crammed into a single monolithic file with no progressive disclosure, and the high-level workflow lacks explicit validation checkpoints between steps.

Suggestions

Reduce the file to a concise overview (~100 lines) with key patterns and move the three large example blocks into separate referenced files (e.g., JWT_AUTH.md, INPUT_VALIDATION.md, RATE_LIMITING.md).

Remove explanatory content Claude already knows: the 'Why Rate Limiting?' bullets, OWASP Top 10 descriptions, the 'When to Use This Skill' list, and generic do/don't advice like 'Use HTTPS Everywhere'.

Add explicit validation checkpoints to the workflow, e.g., 'After implementing auth middleware, test with: curl -H "Authorization: Bearer invalid" to verify rejection before proceeding to input validation.'

Eliminate the 'Additional Resources' links and 'Pro Tip' footer — these add no actionable value for Claude's task execution.

Dimension	Reasoning	Score
Conciseness	Extremely verbose at 500+ lines. Explains concepts Claude already knows (what rate limiting is, why HTTPS matters, what SQL injection is). The 'Why Rate Limiting?' bullet list, OWASP Top 10 summaries, and extensive do/don't lists are all common knowledge for Claude. The 'When to Use This Skill' section with 8 bullet points is unnecessary padding.	1 / 3
Actionability	The code examples are fully executable, complete with imports, error handling, and realistic patterns. JWT authentication, input validation with Zod, rate limiting with Redis, and the common pitfalls all provide copy-paste ready code with proper context.	3 / 3
Workflow Clarity	The 5-step process (Authentication → Input Validation → Rate Limiting → Data Protection → Security Testing) provides a sequence but lacks validation checkpoints between steps. Step 5 mentions testing but doesn't provide concrete verification commands or feedback loops. The individual code examples are well-structured but the overall workflow doesn't have explicit 'verify before proceeding' gates.	2 / 3
Progressive Disclosure	Monolithic wall of text with everything inline — the three massive example blocks, best practices, common pitfalls, OWASP list, and checklists should be split into separate referenced files. No bundle files exist to offload content, and the skill makes no attempt to organize into a main overview with references to detailed sub-documents.	1 / 3
	Total	7 / 12 Passed

Description

32%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description identifies a relevant domain (secure API design) and lists several sub-topics, but it reads like a topic heading rather than an actionable skill description. It lacks a 'Use when...' clause, misses common natural trigger terms users would use, and doesn't specify concrete outputs or actions the skill performs.

Suggestions

Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about API security, securing endpoints, adding authentication/authorization to APIs, or protecting against attacks like SQL injection or XSS.'

Include more natural trigger terms and variations users would say, such as 'OAuth', 'JWT', 'API keys', 'CORS', 'token-based auth', 'SQL injection', 'XSS', 'OWASP API security'.

Make the actions more concrete by specifying outputs, e.g., 'Generates authentication middleware, implements JWT token validation, adds rate-limiting logic, and creates input sanitization schemas for API endpoints.'

Dimension	Reasoning	Score
Specificity	Lists several domain-specific actions (authentication, authorization, input validation, rate limiting, vulnerability protection) but they read more like a category list than concrete actions. It doesn't specify what concrete outputs or transformations are performed (e.g., 'generates middleware code', 'adds JWT token validation').	2 / 3
Completeness	Describes what the skill does (implement secure API design patterns) but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. Per the rubric, a missing 'Use when...' clause caps completeness at 2, and the 'what' portion is also only moderately detailed, placing this at 1.	1 / 3
Trigger Term Quality	Includes relevant terms like 'authentication', 'authorization', 'rate limiting', 'input validation', and 'API vulnerabilities' that users might mention. However, it misses common natural variations like 'OAuth', 'JWT', 'API keys', 'CORS', 'SQL injection', 'XSS', or 'API security' that users would naturally say.	2 / 3
Distinctiveness Conflict Risk	The focus on 'secure API design patterns' is somewhat specific, but terms like 'authentication', 'authorization', and 'input validation' could easily overlap with general security skills, web development skills, or backend development skills. The lack of a clear niche or explicit trigger boundaries increases conflict risk.	2 / 3
	Total	7 / 12 Passed

Validation

81%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 9 / 11 Passed

Validation for skill structure

Criteria	Description	Result
skill_md_line_count	SKILL.md is long (916 lines); consider splitting into references/ and linking	Warning
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning

	Total	9 / 11 Passed

Repository: sickn33/antigravity-awesome-skills
Commit: be20b37

Reviewed: 1 day ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.