broken-authentication
Identify and exploit authentication and session management vulnerabilities in web applications. Broken authentication consistently ranks in the OWASP Top 10 and can lead to account takeover, identity theft, and unauthorized access to sensitive systems.
34
30%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/broken-authentication/SKILL.mdQuality
Discovery
32%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description identifies a clear security domain (broken authentication) and mentions relevant concepts, but it reads more like an educational blurb than a skill selection guide. It lacks an explicit 'Use when...' clause, which is critical for Claude to know when to select this skill, and the second sentence adds context about impact rather than actionable trigger guidance.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about login security, session hijacking, credential stuffing, password reset flaws, JWT vulnerabilities, or OAuth misconfigurations.'
Replace the OWASP impact sentence with specific concrete actions like 'Tests for credential stuffing, session fixation, insecure token generation, brute force attacks, and password reset flaws.'
Include common user-facing trigger terms and file/technology references such as 'JWT', 'OAuth', 'cookies', 'session tokens', 'login bypass', and '2FA bypass'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (authentication/session management vulnerabilities) and general actions (identify and exploit), but doesn't list specific concrete actions like testing credential stuffing, session fixation, token analysis, or brute force attacks. | 2 / 3 |
Completeness | Describes what the skill does (identify and exploit auth vulnerabilities) but has no explicit 'Use when...' clause or equivalent trigger guidance. The second sentence is informational context about OWASP rather than guidance on when to select this skill. Per rubric, missing 'Use when' caps completeness at 2, and the 'when' is entirely absent, warranting a 1. | 1 / 3 |
Trigger Term Quality | Includes relevant terms like 'authentication', 'session management', 'OWASP Top 10', 'account takeover', and 'broken authentication', but misses common user variations like 'login bypass', 'password reset flaws', 'JWT', 'session hijacking', 'cookie security', or 'OAuth vulnerabilities'. | 2 / 3 |
Distinctiveness Conflict Risk | Focuses on authentication and session management specifically, which is somewhat distinct, but could overlap with other web security skills covering OWASP vulnerabilities, penetration testing, or general web application security assessments. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
27%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is a comprehensive but overly verbose reference document that reads more like a textbook chapter than an actionable skill for Claude. It explains many concepts Claude already knows, includes incomplete pseudocode rather than executable examples, and dumps everything into a single monolithic file. The workflow structure is logical but lacks validation checkpoints critical for security testing operations.
Suggestions
Reduce content by 60%+ by removing explanations of concepts Claude already knows (HTTP basics, what cookies are, common password lists, authentication type definitions) and keeping only the novel testing methodology.
Split into multiple files: keep SKILL.md as a concise overview with phase summaries, then create separate files like SESSION_TESTING.md, MFA_TESTING.md, CREDENTIAL_TESTING.md for detailed procedures.
Convert pseudocode comment blocks (e.g., '# Test minimum length', '# Account lockout') into actual executable commands or scripts with concrete expected outputs.
Add explicit validation checkpoints between phases, such as 'Verify authorization scope covers this test type before proceeding' and 'Confirm rate limit thresholds before launching brute force to avoid unintended lockouts.'
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at 300+ lines. Explains concepts Claude already knows (HTTP protocol, what session cookies are, what JWT is, authentication types). The purpose section restates the description. Sections like 'Prerequisites > Required Knowledge' and extensive tables of cookie flags are unnecessary padding. The 'Common passwords' list and default credentials are well-known to Claude. | 1 / 3 |
Actionability | Provides some concrete commands (Hydra syntax, HTTP requests, Python script) but much of the content is pseudocode-like comments rather than executable code. Many code blocks are just commented checklists (e.g., Phase 2, Phase 4 protections check). The Python session analysis script is incomplete (collects tokens but analysis is only comments). | 2 / 3 |
Workflow Clarity | The 10-phase workflow is clearly sequenced and logically ordered. However, there are no validation checkpoints or feedback loops between phases. For security testing involving potentially destructive operations (brute force, credential stuffing), there's no verification step to confirm authorization scope or check for unintended impact before proceeding. | 2 / 3 |
Progressive Disclosure | Monolithic wall of text with no references to external files. All content is inline despite being far too long for a single SKILL.md. The quick reference tables, examples, and detailed phase instructions could easily be split into separate files. No bundle files exist to support progressive disclosure. | 1 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- sickn33/antigravity-awesome-skills
- Commit
fb2efea
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.