api-security-testing
API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.
28
20%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/antigravity-awesome-skills-claude/skills/api-security-testing/SKILL.mdQuality
Discovery
32%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description identifies a clear domain (API security testing) and lists relevant topic areas, but it reads more like a table of contents than an actionable skill description. It lacks concrete actions (what the skill actually does) and completely omits trigger guidance (when Claude should use it), significantly reducing its effectiveness for skill selection.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks to test API security, audit API endpoints, check for authentication vulnerabilities, or review REST/GraphQL API security.'
Replace topic area listings with concrete actions, e.g., 'Tests API endpoints for broken authentication, checks authorization bypass vulnerabilities, validates rate limiting configurations, and fuzzes input parameters for injection attacks.'
Include additional natural trigger terms users might say, such as 'pen test', 'vulnerability scan', 'OWASP API top 10', 'JWT security', or 'API audit'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (API security testing) and lists several areas covered (authentication, authorization, rate limiting, input validation, security best practices), but these read more as topic areas than concrete actions. It doesn't specify what actions are performed, like 'tests for broken authentication' or 'fuzzes input parameters'. | 2 / 3 |
Completeness | Describes what the skill covers at a high level but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. Per the rubric, a missing 'Use when...' clause caps completeness at 2, and since the 'what' is also somewhat vague (topic areas rather than concrete actions), this scores a 1. | 1 / 3 |
Trigger Term Quality | Includes relevant keywords like 'REST', 'GraphQL', 'API', 'authentication', 'authorization', 'rate limiting', and 'input validation' which users might naturally mention. However, it misses common variations like 'OWASP', 'pen test', 'vulnerability scan', 'API keys', 'JWT', 'tokens', or 'security audit'. | 2 / 3 |
Distinctiveness Conflict Risk | The focus on API security testing for REST and GraphQL is somewhat specific, but 'security best practices' and 'input validation' are broad enough to overlap with general security skills or web application testing skills. The combination of API + security + testing does narrow the niche somewhat. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
7%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is essentially a shallow checklist disguised as a workflow. It provides no executable code, no specific techniques, no concrete examples, and no meaningful validation steps. Every phase follows an identical boilerplate template with vague action items that Claude could generate on its own without any skill file, making the entire document largely redundant.
Suggestions
Replace vague action items with concrete, executable examples — e.g., provide actual curl commands for testing JWT validation, specific GraphQL introspection queries, or example payloads for injection testing.
Add validation checkpoints between phases with specific criteria for pass/fail — e.g., 'Verify all endpoints return 401 without valid auth token before proceeding to authorization testing.'
Eliminate the repetitive phase template structure and condense to a lean overview with only the information Claude doesn't already know, such as specific tool flags, common API vulnerability patterns, or decision trees for choosing test approaches.
Either provide the referenced bundle skills or include the critical content inline — currently the skill delegates everything to other skills without providing any standalone value.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose and repetitive. Each phase follows an identical template with shallow action lists that add no value beyond what Claude already knows. The 'Copy-Paste Prompts' sections are trivial one-liners that don't provide real guidance. The entire skill could be condensed to a fraction of its size. | 1 / 3 |
Actionability | No concrete code, commands, or executable examples anywhere. Every phase consists of vague action items like 'Test JWT tokens' and 'Test SQL injection' without any specific techniques, payloads, tool commands, or code snippets. The 'Copy-Paste Prompts' are just generic delegation statements to other skills. | 1 / 3 |
Workflow Clarity | While phases are numbered, there are no validation checkpoints, no feedback loops, no decision points, and no criteria for when to proceed between phases. The checklist at the end has no connection to the workflow steps. For security testing involving potentially destructive operations, the complete absence of verification steps is a significant gap. | 1 / 3 |
Progressive Disclosure | The skill references multiple other skills (api-fuzzing-bug-bounty, broken-authentication, idor-testing, etc.) which suggests some progressive disclosure structure. However, no bundle files are provided to support these references, and the main file itself is a monolithic wall of repetitive content that could benefit from better organization. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- sickn33/antigravity-awesome-skills
- Commit
a4d3e3a
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.