broken-authentication
Identify and exploit authentication and session management vulnerabilities in web applications. Broken authentication consistently ranks in the OWASP Top 10 and can lead to account takeover, identity theft, and unauthorized access to sensitive systems.
43
30%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/broken-authentication/SKILL.mdQuality
Discovery
32%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description identifies a clear security domain (broken authentication) and mentions relevant concepts, but it reads more like an educational blurb than a skill selection guide. It lacks an explicit 'Use when...' clause, and the second sentence provides background context rather than actionable trigger guidance. The specificity of concrete actions is also limited.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about login security, session hijacking, credential stuffing, password reset flaws, or authentication bypass testing.'
List more specific concrete actions such as 'test for credential stuffing, analyze session tokens, evaluate JWT security, check for session fixation, audit OAuth flows, and assess multi-factor authentication implementations.'
Include common user-facing trigger terms like 'login bypass', 'JWT', 'cookie security', 'password brute force', 'session hijacking', and 'OAuth' to improve matching against natural user queries.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (authentication/session management vulnerabilities) and general actions (identify and exploit), but doesn't list specific concrete actions like testing credential stuffing, session fixation, token analysis, or brute force attacks. | 2 / 3 |
Completeness | Describes what the skill does (identify and exploit auth vulnerabilities) but has no explicit 'Use when...' clause or equivalent trigger guidance. The second sentence is informational context about OWASP rather than guidance on when to select this skill. Per rubric, missing 'Use when' caps completeness at 2, and the 'when' is entirely absent, warranting a 1. | 1 / 3 |
Trigger Term Quality | Includes relevant terms like 'authentication', 'session management', 'OWASP Top 10', 'account takeover', and 'broken authentication', but misses common user variations like 'login bypass', 'password reset flaws', 'JWT', 'session hijacking', 'cookie security', or 'OAuth vulnerabilities'. | 2 / 3 |
Distinctiveness Conflict Risk | Focuses on authentication and session management specifically, which is somewhat distinct, but could overlap with other web security skills covering OWASP vulnerabilities, penetration testing, or general web application security assessments. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
27%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is excessively verbose, containing substantial content that Claude already knows (authentication concepts, cookie flags, common passwords, HTTP basics). While the 10-phase workflow provides reasonable coverage of broken authentication testing, the content would benefit enormously from being split across multiple files and trimmed of explanatory material. The actionability is moderate—some concrete commands exist but many 'code' blocks are really commented checklists rather than executable instructions.
Suggestions
Reduce content by 60-70%: remove prerequisite knowledge sections, common password lists, cookie flag explanations, and authentication type definitions that Claude already knows. Focus only on novel testing methodology and specific tool syntax.
Split into multiple files: move the quick reference tables to REFERENCE.md, examples to EXAMPLES.md, and detailed phase instructions to separate files (e.g., SESSION_TESTING.md, MFA_TESTING.md), keeping SKILL.md as a concise overview with navigation links.
Convert pseudocode comment blocks into executable commands or remove them. For example, Phase 2 and Phase 4's 'protections check' are comments in bash blocks—either make them actual test scripts or present as a concise checklist outside code fences.
Add explicit validation checkpoints between phases (e.g., 'Verify authorization scope before proceeding to brute force testing' and 'Confirm rate limit thresholds before running credential stuffing') to create proper feedback loops for these potentially impactful operations.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at 300+ lines. Explains concepts Claude already knows (HTTP protocol, what session cookies are, what JWT is, authentication types). The purpose section restates the description. Sections like 'Prerequisites > Required Knowledge' and extensive tables of cookie flags are unnecessary padding. The 'Common passwords' list and default credentials are well-known to Claude. | 1 / 3 |
Actionability | Provides some concrete commands (Hydra syntax, HTTP requests, Python script) but much of the content is pseudocode-like comments rather than executable code. Many code blocks are actually checklists disguised as code (Phase 2, Phase 4 protections check). The Python session analysis script is incomplete (analysis steps are comments only). | 2 / 3 |
Workflow Clarity | The 10-phase workflow is clearly sequenced and logically ordered, but lacks explicit validation checkpoints between phases. There are no feedback loops for error recovery or decision points about when to proceed vs. stop. For security testing involving potentially destructive operations (brute force, credential stuffing), there should be explicit go/no-go checks and scope verification steps. | 2 / 3 |
Progressive Disclosure | Monolithic wall of text with no references to external files or bundle resources. All content is inline despite being far too long for a single SKILL.md. The quick reference tables, examples, and detailed phase instructions should be split into separate files with clear navigation from the main skill. | 1 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- sickn33/antigravity-awesome-skills
- Commit
9d0b37c
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.