api-security-best-practices
Implement secure API design patterns including authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities
58
37%
Does it follow best practices?
Impact
100%
1.17xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/antigravity-awesome-skills-claude/skills/api-security-best-practices/SKILL.mdQuality
Discovery
32%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description identifies a clear domain (secure API design) and lists several relevant sub-topics, but it lacks a 'Use when...' clause, which is critical for Claude to know when to select this skill. The listed capabilities are more like category labels than concrete actions, and the description misses common trigger terms users would naturally use when seeking help with API security.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about API security, securing endpoints, adding authentication/authorization to APIs, or protecting against attacks like SQL injection or XSS.'
Include more natural trigger terms and variations users would say, such as 'OAuth', 'JWT', 'API keys', 'CORS', 'token-based auth', 'SQL injection', 'XSS', '.env secrets'.
Make the actions more concrete by specifying outputs, e.g., 'Generates authentication middleware, implements JWT token validation, adds rate-limiting logic, and creates input sanitization schemas.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists several domain-specific actions (authentication, authorization, input validation, rate limiting, vulnerability protection) but they read more like a category list than concrete actions. It doesn't specify what concrete outputs or transformations are performed (e.g., 'generates middleware code', 'adds JWT token validation'). | 2 / 3 |
Completeness | Describes what the skill does (implement secure API design patterns) but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. Per the rubric, a missing 'Use when...' clause caps completeness at 2, and the 'what' portion is also only moderately detailed, placing this at 1. | 1 / 3 |
Trigger Term Quality | Includes relevant terms like 'authentication', 'authorization', 'rate limiting', 'input validation', and 'API vulnerabilities' that users might mention. However, it misses common variations like 'OAuth', 'JWT', 'API keys', 'CORS', 'SQL injection', 'XSS', or 'API security' that users would naturally say. | 2 / 3 |
Distinctiveness Conflict Risk | The focus on 'secure API design patterns' provides some specificity, but terms like 'authentication', 'authorization', and 'input validation' could easily overlap with general security skills, web development skills, or backend development skills. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides high-quality, executable code examples covering JWT authentication, input validation, rate limiting, and common security pitfalls — its actionability is its strongest dimension. However, it is severely bloated, explaining many concepts Claude already knows (OWASP definitions, why HTTPS matters, what SQL injection is), and dumps everything into a single monolithic file with no progressive disclosure. The workflow structure is superficial, listing abstract steps without concrete validation checkpoints between phases.
Suggestions
Reduce content by 60-70%: remove explanations of concepts Claude already knows (what rate limiting is, OWASP summaries, basic security principles) and keep only the concrete code patterns and specific implementation decisions.
Extract the three large examples (JWT auth, input validation, rate limiting) into separate bundle files and reference them from a concise overview in SKILL.md.
Remove the 'When to Use This Skill' section entirely and trim the do/don't lists to only non-obvious, implementation-specific guidance.
Add explicit validation checkpoints to the workflow (e.g., 'After implementing auth middleware, test with: curl -H "Authorization: Bearer invalid" to verify rejection before proceeding').
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at 500+ lines. Explains concepts Claude already knows (what rate limiting is, why HTTPS matters, what SQL injection is). The 'Why Rate Limiting?' bullet list, OWASP Top 10 summaries, and extensive do/don't lists are all knowledge Claude possesses. The 'When to Use This Skill' section with 8 bullets is unnecessary padding. | 1 / 3 |
Actionability | The code examples are fully executable, complete with imports, error handling, and realistic patterns. JWT authentication, input validation with Zod, rate limiting with Redis, and the common pitfalls all provide copy-paste ready code with clear before/after comparisons. | 3 / 3 |
Workflow Clarity | Steps 1-5 in 'How It Works' are listed but are abstract descriptions rather than a clear workflow with validation checkpoints. There's no explicit verification step between implementing authentication and moving to input validation. The individual code examples have good internal flow, but the overall skill lacks a cohesive workflow with feedback loops for security review/testing. | 2 / 3 |
Progressive Disclosure | Monolithic wall of text with no bundle files to offload content. The three massive example blocks (JWT auth, input validation, rate limiting) should each be separate reference files. Everything is inlined into a single enormous document with no structural separation, making it overwhelming to navigate. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (916 lines); consider splitting into references/ and linking | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Repository
- sickn33/antigravity-awesome-skills
- Commit
b3869ba
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.