api-security-testing
API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.
51
26%
Does it follow best practices?
Impact
96%
1.10xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/api-security-testing/SKILL.mdQuality
Discovery
32%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description identifies a clear domain (API security testing) and lists relevant topic areas, but it reads more like a table of contents than an actionable skill description. It lacks concrete actions (what the skill actually does) and entirely omits a 'Use when...' clause, making it difficult for Claude to know when to select this skill over others.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks to test API security, perform penetration testing on endpoints, check for authentication vulnerabilities, or audit REST/GraphQL APIs.'
Replace topic area listings with concrete actions, e.g., 'Tests for broken authentication, checks authorization bypass vulnerabilities, validates rate limiting configurations, fuzzes API inputs for injection attacks.'
Include additional natural trigger terms users might say, such as 'OWASP', 'pen test', 'vulnerability scan', 'JWT security', 'API audit', or 'endpoint security'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (API security testing) and lists several areas covered (authentication, authorization, rate limiting, input validation, security best practices), but these read more as topic areas than concrete actions. It doesn't specify what actions are performed, like 'tests for broken authentication' or 'fuzzes input parameters'. | 2 / 3 |
Completeness | Describes what the skill covers at a high level but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. Per the rubric, a missing 'Use when...' clause caps completeness at 2, and since the 'what' is also somewhat vague (topic areas rather than concrete actions), this scores a 1. | 1 / 3 |
Trigger Term Quality | Includes relevant keywords like 'REST', 'GraphQL', 'API', 'authentication', 'authorization', 'rate limiting', and 'input validation' which users might naturally mention. However, it misses common variations like 'OWASP', 'pen test', 'vulnerability scan', 'API keys', 'JWT', 'tokens', or 'security audit'. | 2 / 3 |
Distinctiveness Conflict Risk | The focus on API security testing for REST and GraphQL is reasonably specific and distinguishes it from general security or general API skills. However, overlap could occur with broader security testing skills or API development skills due to the lack of precise scoping. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
20%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is a shallow organizational skeleton that lists phases and action items without providing any concrete, executable guidance. It reads like a table of contents or checklist rather than an instructional document—every phase follows the same template of vague bullet points and trivial copy-paste prompts. The content adds very little that Claude couldn't infer from the skill names alone.
Suggestions
Replace vague action items with concrete examples: specific curl commands, actual JWT test payloads, GraphQL introspection queries, or tool-specific command-line invocations for each phase.
Add validation checkpoints between phases (e.g., 'Before proceeding to Phase 3, verify you have documented all authentication endpoints and their token types').
Condense the repetitive phase structure—either provide real depth for each phase or collapse them into a concise checklist with links to detailed skill files.
Include at least one complete worked example showing an end-to-end API security test against a sample endpoint, demonstrating the actual workflow in practice.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose and repetitive structure. Each phase follows an identical template with vague numbered action lists that add no real value. The 'Copy-Paste Prompts' sections are trivially simple one-liners that don't provide meaningful guidance. Much of this content is padding that Claude already knows (e.g., listing 'Test SQL injection, Test NoSQL injection' without any specifics). | 1 / 3 |
Actionability | No concrete code, commands, or executable examples anywhere. Every phase consists of vague action items like 'Test JWT tokens' and 'Test parameter validation' without any specific techniques, tools, payloads, or commands. The copy-paste prompts are just 'Use @skill-name to do X' which is not actionable guidance. | 1 / 3 |
Workflow Clarity | The phases are clearly sequenced and the overall flow from discovery through authentication, authorization, input validation, rate limiting, GraphQL, and error handling is logical. However, there are no validation checkpoints between phases, no feedback loops for when tests fail, and no criteria for when to proceed to the next phase. The quality gates at the end are too generic. | 2 / 3 |
Progressive Disclosure | References to other skills are present throughout (e.g., api-fuzzing-bug-bounty, broken-authentication, idor-testing), which is good progressive disclosure. However, the main document itself is a wall of repetitive content that could be significantly condensed, and the references are not clearly signaled with links or descriptions of what each referenced skill actually provides. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- sickn33/antigravity-awesome-skills
- Commit
6f67640
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.