burp-suite-testing
Execute comprehensive web application security testing using Burp Suite's integrated toolset, including HTTP traffic interception and modification, request analysis and replay, automated vulnerability scanning, and manual testing workflows.
56
47%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Critical
Do not install without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/burp-suite-testing/SKILL.mdQuality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description does well at specifying concrete capabilities and carving out a distinct niche around Burp Suite web security testing. However, it lacks an explicit 'Use when...' clause which limits its completeness score, and could benefit from additional natural trigger terms that users commonly use when requesting security testing help.
Suggestions
Add a 'Use when...' clause such as 'Use when the user asks about web application security testing, penetration testing, intercepting HTTP requests, or working with Burp Suite.'
Include common user-facing trigger terms like 'pentest', 'pen testing', 'web security', 'proxy', 'OWASP', and 'intercept requests' to improve keyword coverage.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: HTTP traffic interception and modification, request analysis and replay, automated vulnerability scanning, and manual testing workflows. These are clear, actionable capabilities. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with specific capabilities, but lacks an explicit 'Use when...' clause or equivalent trigger guidance. The 'when' is only implied by the nature of the actions described. | 2 / 3 |
Trigger Term Quality | Includes relevant terms like 'Burp Suite', 'security testing', 'HTTP traffic interception', 'vulnerability scanning', but misses common user variations like 'pentest', 'pen testing', 'web security', 'proxy', 'intercept requests', or 'OWASP'. | 2 / 3 |
Distinctiveness Conflict Risk | Clearly scoped to Burp Suite and web application security testing, which is a distinct niche. The mention of specific tool (Burp Suite) and specific domain (web app security) makes it unlikely to conflict with other skills. | 3 / 3 |
Total | 10 / 12 Passed |
Implementation
27%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads like a comprehensive Burp Suite beginner tutorial rather than a concise, actionable skill for Claude. It over-explains GUI workflows that Claude cannot directly execute, includes substantial content Claude already knows (HTTP concepts, what SQL injection is), and packs everything into a single monolithic file. The testing payloads and examples provide some value, but the overall token cost is disproportionate to the unique information conveyed.
Suggestions
Reduce content by 60-70% by removing explanations of concepts Claude already knows (HTTP basics, what interception means, what SQL injection is) and focusing only on Burp-specific workflows and non-obvious configuration details.
Split reference material (payloads, keyboard shortcuts, troubleshooting, Intruder attack types) into separate bundle files and reference them from the main SKILL.md.
Add explicit validation checkpoints to the workflow, such as verifying proxy connectivity before testing, confirming scope configuration is correct, and validating scan results against false positive indicators.
Clarify the skill's actual use case for Claude — since Burp Suite is a GUI tool, focus on what Claude can realistically help with (generating payloads, analyzing captured requests/responses, writing reports) rather than step-by-step GUI navigation.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~300+ lines, explaining many concepts Claude already knows (what HTTP history is, what interception means, what Burp Suite editions offer). The editions comparison table, scope benefits list, and extensive troubleshooting sections add significant token overhead without providing novel, actionable information. Much of this reads like a Burp Suite tutorial for beginners rather than a concise skill reference. | 1 / 3 |
Actionability | The skill provides step-by-step GUI navigation instructions and some concrete payloads/examples, but since Burp Suite is a GUI tool that Claude cannot directly operate, the actionability is inherently limited. The testing payloads and HTTP request examples are concrete and useful, but much of the content is click-by-click GUI instructions rather than executable commands or scripts. | 2 / 3 |
Workflow Clarity | The six-phase workflow is clearly sequenced and logically ordered, but validation checkpoints are largely absent. There's no explicit verification step after modifications (e.g., confirming the modified request produced the expected response), no feedback loops for when scans fail or produce false positives, and no clear decision points for when to escalate or pivot testing approaches. | 2 / 3 |
Progressive Disclosure | The entire skill is a monolithic wall of text with no references to supporting files. Content like the full payloads list, troubleshooting guide, keyboard shortcuts, and detailed Intruder configuration could easily be split into separate reference files. With no bundle files and no external references, everything is crammed into one long document. | 1 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- sickn33/antigravity-awesome-skills
- Commit
e40fdb8
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.