api-security-testing

API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.

Quality

20%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Passed

No known issues

Optimize this skill with Tessl

npx tessl skill review --optimize ./plugins/antigravity-awesome-skills-claude/skills/api-security-testing/SKILL.md

Quality

Content

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This skill is essentially a hollow template that lists security testing topics without providing any actionable guidance. It delegates everything to other skills via trivial prompts while offering no concrete techniques, commands, payloads, or code examples. The repetitive phase structure inflates token count without adding value, and the lack of validation checkpoints or decision criteria makes the workflow unreliable for actual security testing.

Suggestions

Replace vague action items with concrete, executable examples — e.g., specific curl commands for testing JWT validation, actual GraphQL introspection queries, or example payloads for injection testing.

Add validation checkpoints between phases with specific criteria for pass/fail (e.g., 'Verify 401 returned for expired tokens before proceeding to authorization testing').

Eliminate the repetitive phase template structure and consolidate into a concise checklist with inline references to delegated skills, cutting the content by at least 60%.

Include at least one complete worked example showing the end-to-end flow for a specific API endpoint, demonstrating what actual testing output looks like.

Dimension	Reasoning	Score
Conciseness	Extremely verbose and repetitive. Each phase follows an identical template with shallow action lists that add no value beyond what Claude already knows. The 'Copy-Paste Prompts' sections are trivial one-liners that don't provide real guidance. The entire skill could be condensed to a fraction of its size.	1 / 3
Actionability	No concrete code, commands, or executable examples anywhere. Every phase consists of vague action items like 'Test JWT tokens' and 'Test SQL injection' without any specific techniques, payloads, tool commands, or code snippets. The 'Copy-Paste Prompts' are just generic delegation statements to other skills.	1 / 3
Workflow Clarity	While phases are sequenced, there are no validation checkpoints, no feedback loops, no decision points, and no criteria for when to proceed between phases. The numbered action items within each phase are unordered checklists disguised as sequences with no dependencies or verification steps.	1 / 3
Progressive Disclosure	The skill references multiple other skills (api-fuzzing-bug-bounty, broken-authentication, idor-testing, etc.) which suggests a delegation model, but no bundle files exist to support these references. The structure has clear sections and a logical organization, but the content within each section is shallow and repetitive rather than being a useful overview.	2 / 3
	Total	5 / 12 Passed

Description

32%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description identifies a clear domain (API security testing) and lists relevant topic areas, but it reads more like a category label than an actionable skill description. It lacks concrete actions (what it actually does) and completely omits 'Use when...' guidance, making it difficult for Claude to know when to select this skill over others.

Suggestions

Add a 'Use when...' clause with explicit triggers, e.g., 'Use when the user asks about API security testing, vulnerability scanning, penetration testing for REST/GraphQL endpoints, or securing API authentication flows.'

Replace topic area listings with concrete actions, e.g., 'Tests API endpoints for broken authentication, validates authorization controls, checks rate limiting configurations, fuzzes input parameters for injection vulnerabilities, and generates security assessment reports.'

Include additional natural trigger terms users might say, such as 'OWASP', 'API vulnerability', 'JWT security', 'OAuth testing', 'penetration test', or 'security audit'.

Dimension	Reasoning	Score
Specificity	Names the domain (API security testing) and lists several areas covered (authentication, authorization, rate limiting, input validation, security best practices), but these read more as topic areas than concrete actions. It doesn't specify what actions are performed, like 'tests for broken authentication' or 'generates security reports'.	2 / 3
Completeness	Describes what the skill covers (API security testing across several domains) but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. Per the rubric, a missing 'Use when...' clause caps completeness at 2, and the 'what' portion is also somewhat weak (listing topics rather than actions), bringing this to a 1.	1 / 3
Trigger Term Quality	Includes relevant keywords like 'API', 'REST', 'GraphQL', 'authentication', 'authorization', 'rate limiting', and 'input validation' which users might naturally mention. However, it misses common variations like 'OWASP', 'penetration testing', 'API keys', 'JWT', 'OAuth', 'vulnerability scanning', or 'security audit'.	2 / 3
Distinctiveness Conflict Risk	The combination of 'API security testing' with 'REST and GraphQL' provides reasonable specificity, but it could overlap with general API testing skills, security auditing skills, or input validation skills. The lack of explicit trigger conditions increases conflict risk.	2 / 3
	Total	7 / 12 Passed

Validation

90%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 10 / 11 Passed

Validation for skill structure

Criteria	Description	Result
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning

	Total	10 / 11 Passed

Repository: sickn33/antigravity-awesome-skills
Commit: be20b37

Reviewed: 1 day ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.