CtrlK
BlogDocsLog inGet started
Tessl Logo

broken-authentication

Identify and exploit authentication and session management vulnerabilities in web applications. Broken authentication consistently ranks in the OWASP Top 10 and can lead to account takeover, identity theft, and unauthorized access to sensitive systems.

48

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Risky

Do not use without reviewing

SKILL.md
Quality
Evals
Security

Quality

Content

42%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The content is highly actionable with concrete commands and examples, but it is far too verbose for a SKILL.md, restates common knowledge, and is a monolithic wall of text with no progressive disclosure or bundle files.

Suggestions

Trim restated common knowledge (password lists, cookie flag tables, MFA explanations) and move exhaustive reference material into bundled files under references/.

Add explicit validation/checkpoint steps to the brute-force and credential-stuffing phases, including stop conditions and an authorization gate at the start of the workflow.

Split the monolithic body into a lean overview in SKILL.md with one-level-deep links to e.g. references/session-testing.md and references/mfa-testing.md.

DimensionReasoningScore

Conciseness

The body is highly verbose (~400 lines), restating well-known concepts (what MFA is, common password lists, cookie flag purposes) that Claude already knows, with much of the content padding rather than earning its tokens.

1 / 3

Actionability

Provides concrete, executable commands (Hydra invocations, Burp Intruder steps, Python token-collection snippet, JWT 'none' alg payload) that are copy-paste ready and specific.

3 / 3

Workflow Clarity

The ten phases are clearly sequenced, but destructive/batch operations (brute force, credential stuffing) lack explicit validation checkpoints or stop conditions; the legal authorization check is mentioned in a separate Constraints section rather than as a workflow gate.

2 / 3

Progressive Disclosure

No bundle files exist (references/scripts/assets absent) and the SKILL.md is a monolithic wall of text with all detail inline; there is no overview-to-detail split or external references.

1 / 3

Total

7

/

12

Passed

Description

62%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is specific and domain-clear, naming concrete actions and outcomes. It is weakened by the lack of an explicit 'Use when...' trigger clause and by trigger terms that lean technical rather than natural.

Suggestions

Add an explicit trigger clause, e.g. 'Use when testing web application login, password reset, session handling, or MFA mechanisms for vulnerabilities.'

Include natural user-facing keywords such as 'login', 'password reset', 'session tokens', 'MFA', and 'brute force' alongside the OWASP framing.

DimensionReasoningScore

Specificity

Lists multiple concrete actions ('Identify and exploit authentication and session management vulnerabilities') and names concrete outcomes (account takeover, identity theft, unauthorized access).

3 / 3

Completeness

Clearly answers 'what' (identify and exploit auth vulnerabilities) but provides no explicit 'Use when...' clause or trigger guidance for when Claude should invoke it.

2 / 3

Trigger Term Quality

Includes relevant terms ('authentication', 'session management', 'OWASP Top 10') but lacks natural user phrasings like 'login', 'password reset', 'MFA', or 'session tokens' that a user would actually say.

2 / 3

Distinctiveness Conflict Risk

The niche (broken authentication testing) is fairly distinct, but the absence of explicit trigger terms increases the chance of overlap with general web-app pentest skills.

2 / 3

Total

9

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
sickn33/antigravity-awesome-skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.