broken-authentication
Identify and exploit authentication and session management vulnerabilities in web applications. Broken authentication consistently ranks in the OWASP Top 10 and can lead to account takeover, identity theft, and unauthorized access to sensitive systems.
43
30%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/broken-authentication/SKILL.mdQuality
Discovery
32%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description identifies a clear security domain (broken authentication) but wastes its second sentence on background information about OWASP rankings and consequences rather than providing actionable trigger guidance. It lacks a 'Use when...' clause, specific concrete actions, and common user-facing trigger terms that would help Claude select this skill appropriately.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about login security, session hijacking, credential stuffing, password reset flaws, JWT vulnerabilities, or OAuth misconfigurations.'
Replace the OWASP background sentence with specific concrete actions, e.g., 'Tests for credential stuffing, session fixation, insecure token generation, brute force attacks, and password reset flaws.'
Include more natural trigger terms users would say, such as 'login bypass', 'cookie security', 'session tokens', '2FA bypass', and 'JWT'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (authentication/session management vulnerabilities) and general actions (identify and exploit), but doesn't list specific concrete actions like testing credential stuffing, session fixation, token analysis, or brute force attacks. | 2 / 3 |
Completeness | Describes what the skill does (identify and exploit auth vulnerabilities) but has no explicit 'Use when...' clause or equivalent trigger guidance. The second sentence is background information about OWASP rankings and consequences, not trigger guidance. Per rubric, missing 'Use when' caps completeness at 2, and the 'when' is entirely absent, warranting a 1. | 1 / 3 |
Trigger Term Quality | Includes relevant terms like 'authentication', 'session management', 'OWASP Top 10', 'account takeover', and 'broken authentication', but misses common user variations like 'login bypass', 'password reset flaws', 'JWT', 'session hijacking', 'cookie security', or 'OAuth vulnerabilities'. | 2 / 3 |
Distinctiveness Conflict Risk | Focuses on authentication and session management specifically, which is somewhat distinct, but could overlap with general web security scanning skills, penetration testing skills, or other OWASP-related vulnerability skills. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
27%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is comprehensive in coverage but severely bloated, containing extensive content that Claude already knows (HTTP basics, cookie flags, what JWT tokens are) alongside genuinely useful testing procedures. The lack of progressive disclosure means everything is in one massive file, and many 'code' blocks are actually commented checklists rather than executable commands. The workflow would benefit from validation checkpoints and clearer pass/fail criteria.
Suggestions
Reduce content by 60%+ by removing explanations of concepts Claude already knows (cookie flags table, authentication types list, what credential stuffing is) and keeping only the specific testing procedures and commands.
Split into multiple files: keep SKILL.md as a concise overview with phase summaries, and move detailed payloads to PAYLOADS.md, examples to EXAMPLES.md, and reference tables to REFERENCE.md.
Convert pseudocode bash comments (e.g., '# Test minimum length (a, ab, abcdefgh)') into actual executable commands or scripts that can be copy-pasted.
Add explicit validation checkpoints between phases (e.g., 'Confirm at least 3 authentication endpoints mapped before proceeding to Phase 2') and decision criteria for confirming vs. dismissing findings.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~350+ lines, repeating concepts Claude already knows (HTTP protocol basics, what JWT is, what session cookies are). The purpose section restates the description. Many sections contain explanatory comments that add no value (e.g., '# Credential stuffing differs from brute force'). Tables explaining cookie flags and authentication types are standard knowledge. | 1 / 3 |
Actionability | The skill provides some concrete commands (Hydra syntax, HTTP requests, Python script) but much of the content is pseudocode-like bash comments rather than executable code. Many steps are checklists of things to check rather than specific executable instructions. The Python session analysis script is incomplete (analysis logic is comments only). | 2 / 3 |
Workflow Clarity | The 10-phase workflow is clearly sequenced and covers the domain well, but lacks explicit validation checkpoints and feedback loops. There's no verification step to confirm findings before proceeding, no decision points for when to escalate or stop, and no clear criteria for determining if a vulnerability is confirmed vs. a false positive. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of text with no references to external files. All content—quick reference tables, examples, troubleshooting, detailed phase instructions—is crammed into a single document. The quick reference section, examples, and detailed payloads could easily be split into separate referenced files. | 1 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- sickn33/antigravity-awesome-skills
- Commit
d739c8b
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.