burp-suite-testing
Execute comprehensive web application security testing using Burp Suite's integrated toolset, including HTTP traffic interception and modification, request analysis and replay, automated vulnerability scanning, and manual testing workflows.
56
47%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Critical
Do not install without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/burp-suite-testing/SKILL.mdQuality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description does well at specifying concrete capabilities and carving out a distinct niche around Burp Suite web security testing. However, it lacks an explicit 'Use when...' clause which caps completeness, and could benefit from additional natural trigger terms that users commonly use when requesting security testing help.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about web application security testing, penetration testing, intercepting HTTP requests, or using Burp Suite.'
Include common user-facing trigger terms like 'pentest', 'pen testing', 'web security audit', 'proxy', 'OWASP', and 'intercept requests' to improve discoverability.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: HTTP traffic interception and modification, request analysis and replay, automated vulnerability scanning, and manual testing workflows. These are clear, actionable capabilities. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with specific capabilities, but lacks an explicit 'Use when...' clause or equivalent trigger guidance. The when is only implied by the nature of the actions described. | 2 / 3 |
Trigger Term Quality | Includes good terms like 'Burp Suite', 'security testing', 'HTTP traffic interception', 'vulnerability scanning', but misses common user variations like 'pentest', 'pen testing', 'web security', 'proxy', 'intercept requests', or 'OWASP'. | 2 / 3 |
Distinctiveness Conflict Risk | Very distinct niche — Burp Suite is a specific tool for web application security testing. The mention of Burp Suite and its specific toolset (interception, replay, scanning) makes it highly unlikely to conflict with other skills. | 3 / 3 |
Total | 10 / 12 Passed |
Implementation
27%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads like a reformatted Burp Suite user manual rather than a concise operational guide for Claude. It is excessively verbose, explains many concepts Claude already understands, and packs everything into a single monolithic file. While the workflow structure is logical and the examples are somewhat concrete, the lack of validation checkpoints in a security testing context and the absence of progressive disclosure significantly reduce its effectiveness.
Suggestions
Reduce content by 60-70%: remove the editions comparison table, scope benefits list, troubleshooting section, and explanations of what each Burp tool does—Claude knows these. Focus only on the specific workflow steps and decision points.
Split into multiple files: move common testing payloads to PAYLOADS.md, troubleshooting to TROUBLESHOOTING.md, and Intruder attack configuration to INTRUDER.md, with clear one-level references from the main skill.
Add explicit validation checkpoints: after each phase, include verification steps (e.g., 'Verify interception is working by confirming you see the request in HTTP history before proceeding') and feedback loops for when expected results don't appear.
Clarify Claude's actual role: since Burp Suite is a GUI tool, specify whether Claude is generating instructions for a human operator, writing automation scripts using Burp's REST API, or creating Burp extension code—this fundamentally changes what actionable guidance looks like.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~300+ lines, explaining many concepts Claude already knows (what HTTP history is, what interception means, what Repeater does). The editions comparison table, scope benefits list, and extensive troubleshooting section add significant token overhead. Much of this is Burp Suite documentation repackaged rather than concise operational guidance. | 1 / 3 |
Actionability | The skill provides step-by-step GUI navigation instructions and some concrete payloads, but since Burp Suite is a GUI tool that Claude cannot directly operate, the actionability is inherently limited. The testing payloads and HTTP request examples are concrete and useful, but much of the content is click-by-click GUI instructions rather than executable commands. | 2 / 3 |
Workflow Clarity | The six-phase workflow is clearly sequenced and logically ordered, but lacks validation checkpoints. There are no explicit verification steps (e.g., 'confirm the proxy is intercepting by checking X'), no feedback loops for when modifications don't produce expected results, and no guidance on when to stop or escalate. For security testing involving potentially destructive operations, this caps the score at 2. | 2 / 3 |
Progressive Disclosure | The entire skill is a monolithic wall of text with no references to external files. All content—quick reference, troubleshooting, examples, payload lists, attack type descriptions—is inlined into a single massive document. The payload reference, troubleshooting guide, and detailed phase instructions could easily be split into separate referenced files. | 1 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- sickn33/antigravity-awesome-skills
- Commit
e18e63c
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.