CtrlK
BlogDocsLog inGet started
Tessl Logo

api-security-best-practices

Implement secure API design patterns including authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities

49

1.37x
Quality

Does it follow best practices?

Impact

92%

1.37x

Average score across 1 eval scenario

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

37%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The skill is highly actionable with concrete executable code, but it is far too verbose, repeats concepts and checklists Claude already knows, lacks validation/feedback checkpoints in its workflows, and is a monolithic single file with no progressive disclosure. Trimming redundant explanatory prose and moving large code examples into reference files would substantially improve it.

Suggestions

Cut redundant conceptual explanation, restated checklists, and duplicated do/don't lists to assume Claude's competence and respect the token budget.

Add explicit validation and fix-and-retry checkpoints to the multi-step security workflows (e.g. verify tokens, test rate limits, re-scan for vulnerabilities before declaring done).

Move the large worked code examples into separate reference files under references/ and keep SKILL.md a concise overview with one-level-deep links.

DimensionReasoningScore

Conciseness

The ~900-line body explains concepts Claude already knows (what OWASP is, generic "Validate all input data" bullets, restated checklists) and pads heavily with redundant do/don't lists and nested markdown examples, fitting the verbose/knows-concepts anchor.

1 / 3

Actionability

Provides fully executable, copy-paste-ready Node.js/Express code for JWT auth, parameterized queries, Zod validation, and rate limiting with specific libraries and configuration, matching the executable-examples anchor.

3 / 3

Workflow Clarity

Steps are listed under "How It Works" and there are checklists, but there are no explicit validation checkpoints or fix-and-retry feedback loops for the destructive/batch operations the skill covers (e.g. auth changes, data handling), which caps clarity at 2 per the rubric notes.

2 / 3

Progressive Disclosure

It is a monolithic wall of text with everything inline and no bundle files (references/scripts/assets are absent), so there is no split of detailed material into one-level-deep files; this matches the monolithic anchor.

1 / 3

Total

7

/

12

Passed

Description

60%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is specific about what the skill does but lacks an explicit when-to-use trigger, and its keywords are somewhat technical rather than natural. Adding a "Use when..." clause with user-facing phrasings would materially raise completeness and trigger-term quality.

Suggestions

Append an explicit "Use when..." clause naming concrete triggers, e.g. "Use when designing or securing REST, GraphQL, or WebSocket APIs, or when the user asks about API auth, rate limiting, or injection protection."

Replace technical phrasings with natural user terms where possible ("secure my API", "add rate limiting", "prevent API attacks") to improve trigger-term quality.

Narrow the opening to a more distinct niche (e.g. naming REST/GraphQL/WebSocket APIs) to reduce overlap with general backend/security skills.

DimensionReasoningScore

Specificity

Lists multiple concrete actions: "authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities", matching the multiple-specific-actions anchor rather than the domain-and-some-actions level.

3 / 3

Completeness

It states clearly what the skill does but provides no "Use when..." clause or equivalent explicit trigger for when to invoke it, which per the judging guidelines caps completeness at 2.

2 / 3

Trigger Term Quality

Terms like "secure API design patterns" and "input validation" are relevant but lean technical and lack the natural phrasings a user would say (e.g. "secure my API", "API auth"); coverage is partial rather than comprehensive.

2 / 3

Distinctiveness Conflict Risk

"secure API design patterns" is a broad framing that could overlap with general backend or security skills; the listed actions add some specificity but it is not a clearly distinct niche.

2 / 3

Total

9

/

12

Passed

Validation

87%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation14 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

skill_md_line_count

SKILL.md is long (916 lines); consider splitting into references/ and linking

Warning

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

14

/

16

Passed

Repository
sickn33/antigravity-awesome-skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.