Skip to content

api-design Skill Evaluation Report

Method: skill-creator A/B testing Date: 2026-04-18 Subject: skills/api-design/ — REST API contract designer and reviewer


The api-design skill shows a striking pattern: the baseline performs near-perfectly on standard multi-defect reviews and minimal-context scenarios, but drops to just 66.7% on the breaking-change scenario (public API with 12 active partner integrations) — the largest single-scenario gap we've seen across all evaluated skills. The skill's Gate 3 STOP mechanism and the §8.7 Compatibility Assessment structure are responsible for most of the difference.


1. Skill Overview

Core files:

File Lines Purpose
SKILL.md ~380 Main framework: 4 Gates, 3 depths, 16-item checklist, 12-item scorecard, 9-section output contract
references/error-model-patterns.md ~180 Standard/Deep: error envelope, idempotency keys, ETag, IDOR-safe 404
references/compatibility-rules.md ~200 Deep/breaking-change: compatibility matrix, Sunset protocol, multi-version coexistence, contract testing
references/api-anti-examples.md ~140 Extended anti-examples AE-7 through AE-13

Key safety rules the skill enforces: - AE-1: Verbs in URLs (/createUser) break REST semantics and tooling - AE-2: HTTP 200 for errors tricks CDNs, clients, and monitoring - AE-3: Unstructured error messages force clients to string-match, which breaks on rewording - AE-5: Missing object-level authorization (IDOR) — OWASP API Security Top 1 - Breaking Change GUARDRAIL: Any field removal, rename, or type change on a public API must trigger Gate 3 STOP and require a migration plan before proceeding


2. Test Design

2.1 Scenarios

# Name Context Core challenge Expected outcome
1 Multi-defect REST review Internal order management API, React + iOS consumers Verb URLs + 200-for-errors + IDOR + no idempotency Critical 0/3, Scorecard FAIL
2 Public API breaking changes v1 public API, 12 active partner integrations 4 breaking changes with no versioning or migration plan Gate 3 STOP, create v2 + 90-day deprecation window
3 Minimal context (degraded mode) Payment API, no consumer type / public-vs-internal / SLA No architecture context at all Minimal mode declared, consumer type unknown flagged

2.2 Assertion Matrix (24 total)

Scenario 1 — Multi-defect REST review (9 assertions)

ID Assertion With Skill Without Skill
A1 Flags /createOrder and /cancelOrder as verb-in-URL violations (AE-1, Critical) PASS PASS
A2 Flags HTTP 200 for error responses (AE-2, Critical) PASS PASS
A3 Flags missing object-level auth on GET /orders/{id} (IDOR, OWASP #1, Critical) PASS PASS
A4 Flags missing Idempotency-Key as a Standard defect (mobile retries = duplicate orders) PASS PASS
A5 Recommends standard error envelope {error: {code, message, details[], trace_id}} PASS PASS
A6 Recommends cursor-based pagination over offset (avoids data drift under concurrent writes) PASS PASS
A7 Scores original API as Critical 0/3 on the scorecard PASS PASS
A8 §8.9 Uncovered Risks uses the required 4-column table (Area | Reason | Impact | Follow-up) PASS PASS
A9 Explicitly cross-references anti-example numbers (AE-1, AE-2, AE-5) PASS PARTIAL

Scenario 1 result: With Skill 9/9, Without Skill 8.5/9 — the only gap is that the baseline mentions AE-5 once by accident but never systematically cites AE numbers.


Scenario 2 — Public API breaking changes (9 assertions)

ID Assertion With Skill Without Skill
B1 Identifies phone_number removal as a breaking change PASS PASS
B2 Identifies adding required billing_address as Critical breaking (all existing POSTs fail) PASS PASS
B3 Identifies the error format change (string → object) as breaking (affects every error path) PASS PASS
B4 Identifies renaming order_statusstatus as a breaking change PASS PASS
B5 Recommends creating /api/v2/ with all changes while leaving v1 untouched PASS PASS
B6 Recommends Deprecation + Sunset headers with a minimum 90-day window PASS PASS
B7 Explicitly triggers Gate 3 STOP (UNSAFE — migration plan required before proceeding) PASS FAIL
B8 §8.9 Uncovered Risks uses the required 4-column table PASS FAIL
B9 Appends a Data basis: label after the scorecard PASS FAIL

Scenario 2 result: With Skill 9/9, Without Skill 6/9 — three failures: Gate STOP framework, §8.9 table format, and Data basis label.


Scenario 3 — Minimal context, degraded mode (6 assertions)

ID Assertion With Skill Without Skill
C1 Declares Minimal or Degraded mode PASS PASS
C2 §8.9 includes "consumer type unknown" as a risk PASS PASS
C3 §8.9 includes "public vs. internal unknown" as a risk PASS PASS
C4 §8.9 uses the required 4-column table PASS PASS
C5 Flags missing Idempotency-Key on POST /payments (financial — retries mean duplicate charges) PASS PASS
C6 Appends Data basis: minimal label PASS PASS

Scenario 3 result: With Skill 6/6, Without Skill 6/6 — no gap at all.


3. Pass Rate Summary

3.1 Overall

Configuration PASS PARTIAL FAIL Strict pass rate
With Skill 24/24 0 0 100%
Without Skill 20/24 1 3 83.3% + 2.1% partial

Delta: +14.6 percentage points (strict PASS)

3.2 By scenario

Scenario With Skill Without Skill Where points were lost
S1 Multi-defect review 9/9 (100%) 8.5/9 (94.4%) A9: AE number cross-references
S2 Breaking changes 9/9 (100%) 6/9 (66.7%) B7/B8/B9: Gate STOP + §8.9 format + Data basis
S3 Minimal context 6/6 (100%) 6/6 (100%) No gap

Why S2 is the outlier. A public API breaking-change assessment needs three things the baseline skipped entirely:

  1. Gate 3 STOP: the baseline went straight to narrative recommendations without formally classifying each change as UNSAFE and requiring a migration plan
  2. §8.9 table format: the baseline used freeform headers ("Compatibility Summary", "What Must Be Done") rather than the structured 4-column risk table
  3. Data basis label: simply absent in the baseline output

S1 performs well at baseline (94.4%) because REST anti-patterns are widely trained into the model. S3 is perfect at baseline for the same reason we've seen across previous skill evaluations.


4. Key Differences

4.1 Behaviors unique to the With-Skill group

Behavior Appears in Source
Gate 3 STOP explicitly declared (UNSAFE → migration plan required) S2 §2 Mandatory Gates
Formal §8.1–§8.9 section numbering (including §8.7 Compatibility Assessment) S1, S2, S3 §8 Output Contract
AE number cross-references (AE-1, AE-2, AE-5) S1 §6 Anti-Examples
Per-change breaking/non-breaking classification with individual mitigation S2 §5.4 + compatibility-rules.md
Data basis: label appended to every scorecard S1, S2, S3 §8 Scorecard contract

4.2 Technical knowledge comparison

Check With Skill Without Skill
All 4 breaking change types identified PASS PASS
Sunset protocol (90-day warning period) PASS PASS
v1/v2 coexistence strategy PASS PASS
IDOR: return 404 not 403 PASS PASS
Idempotency-Key for financial mutations PASS PASS
Gate 3 STOP explicitly triggered PASS FAIL
§8.7 per-change compatibility table PASS FAIL

The baseline knows the domain well — Sunset headers, v2 migration, IDOR-safe 404, all come out correctly. The gap is purely about whether the structured framework is followed.


5. Token Cost Analysis

5.1 Skill context overhead

Component Lines Estimated tokens When loaded
SKILL.md ~380 ~5,000 Every request
error-model-patterns.md ~180 ~2,300 Standard/Deep
compatibility-rules.md ~200 ~2,600 Deep / breaking-change signal

5.2 Actual token consumption

Agent Scenario Total tokens Tool calls Output
Without Skill S1 36,546 2 Exploratory — all defects found
With Skill S1 18,229 0 Structured — AE references included
Without Skill S2 14,053 0 Narrative — no Gate/§8.9/Data basis
With Skill S2 18,577 0 Full §8.x structure + Gate STOP
Without Skill S3 36,028 2 Exploratory — matches skill quality
With Skill S3 16,420 0 Structured — Minimal mode declared

5.3 Efficiency summary

Metric S1 S2 (reversed) S3 Average
Without Skill tokens 33,536 14,053 32,257 26,615
With Skill tokens 18,229 18,577 16,420 17,742
Token change −45.7% +32.2% −49.1% −33.3%
Quality gain +5.6 pp +33.3 pp 0 pp +14.6 pp

The S2 reversal is the most interesting finding in this evaluation. The Without-Skill agent spent only 14,053 tokens — the cheapest run in the entire evaluation — yet produced the lowest-quality output. The With-Skill agent spent 18,577 tokens and produced the highest quality gain (+33.3 pp).

This points to a principle worth stating explicitly: when the structured output is the value (a breaking-change assessment is only useful if every change is classified individually and traceable), token cost going up is fine. The extra ~4,500 tokens bought the Gate 3 STOP, the §8.7 compatibility table, and the Data basis label — all three of which the baseline skipped entirely.

For S1 and S3, the skill saves about 47% of tokens while matching or exceeding baseline quality, so the overall average is still a 33% saving.


6. Weighted Scores

6.1 Dimension scores (out of 5)

Dimension With Skill Without Skill Gap
Critical defect detection 5.0 4.8 +0.2
API contract output structure (§8.x compliance) 5.0 3.5 +1.5
Breaking-change assessment framework (Gate + §8.7) 5.0 3.0 +2.0
Error model design (envelope, status codes, IDOR-safe 404) 5.0 4.5 +0.5
Degraded mode handling (minimal context) 5.0 4.5 +0.5
Anti-pattern framework references (AE numbers, Gates) 5.0 3.5 +1.5

6.2 Weighted total (out of 10)

Dimension Weight With Skill Without Skill Notes
Critical defect detection 25% 10.0 9.5 Both find IDOR/AE-1/AE-2; baseline's IDOR explanation is slightly shallower
API contract output structure 20% 10.0 7.0 With Skill: 100% §8.x compliant; baseline: no §8.9 table in S2
Breaking-change framework 20% 10.0 6.0 Gate 3 STOP + §8.7 table: completely absent in baseline
Error model design 15% 10.0 9.0 Both recommend the standard envelope; skill adds metric/audit fields
Degraded mode handling 10% 10.0 9.0 S3 both perfect; skill's §8.9 risk list is more complete (12 vs 8 items)
Anti-pattern references 10% 10.0 7.0 Skill: systematic AE citations; baseline: occasional accidental mention
Weighted total 100% 10.00/10 7.95/10

7. Findings and Recommendations

Finding 1: Breaking-change assessment is where the skill adds the most value

Unlike the migration and caching skills — where the quality gap is fairly uniform across scenarios — api-design has an uneven distribution:

Scenario type Baseline quality Where the skill helps
Standard multi-defect review (S1) 94.4% Marginal — mainly AE references and §8.x formatting
Public API breaking changes (S2) 66.7% Critical — Gate STOP, per-change classification, migration timeline
Minimal context (S3) 100% None — baseline already perfect

If your team manages a public API with external partners, the skill's ROI is substantially higher than for internal API reviews.

Finding 2: "Framework overhead = value" for structured assessments

In S2, the baseline chose to give a concise narrative (14,053 tokens, lowest in the test) and missed all three framework-specific behaviors. This illustrates a general pattern:

A structured framework doesn't just impose a format — it forces a thinking process. Gate 3's STOP condition compels the reviewer to classify every change before offering any recommendations. Without it, a capable model will jump straight to "here's what to do" and skip the classification entirely.

Finding 3: Comparison across evaluated skills

Skill Baseline quality Delta Token effect Pattern
mysql-migration 52% +48 pp +51% overhead Knowledge injection
pg-migration 87% +13 pp −46% savings Structure + efficiency
mongo-migration 87.5% +12.5 pp −29% savings S3 anomaly
redis-cache-strategy 89.6% +10.4 pp −49.7% savings Most stable
api-design 85.4% +14.6 pp −33.3% savings Most uneven by scenario

api-design has the most scenario-to-scenario variation of any evaluated skill. Basic REST design knowledge (plural nouns, 4xx status codes, IDOR awareness) is thoroughly trained into the model. Public API versioning and breaking-change governance are not — at least not at the level of structured, traceable, gate-controlled analysis.

Improvement suggestions

  1. Make compatibility-rules.md trigger earlier: currently it only loads at Deep depth, but any request mentioning "breaking", "deprecation", or "versioning" should load it regardless of depth. This would prevent the S2 scenario from slipping through without the full framework.

  2. Add a multi-breaking-change golden fixture: the existing API-006 tests a single breaking change. There is no fixture testing Gate 3 STOP when multiple breaking changes appear simultaneously. This is a coverage gap given how common that situation is.

  3. Add a webhook API fixture: webhooks appear in the consumer type list but have no dedicated golden scenario (noted as Medium priority in COVERAGE.md).


8. Conclusion

Rating: Production-ready. Highest ROI when used for public API and partner integration scenarios.

Three things the skill does well:

  1. Breaking-change governance: the Gate 3 STOP mechanism and §8.7 Compatibility Assessment add 33.3 percentage points of quality in the scenario that matters most — public API changes with active integrations. This is the largest single-scenario gain across all skills evaluated so far.

  2. Auditable output: the §8.1–§8.9 section structure makes every API review traceable. For compliance-sensitive contexts (partner SLAs, external contracts), a structured scorecard with a Data basis: label is more than a formatting preference — it's a record.

  3. Efficient for standard reviews: S1 and S3 save around 47% of tokens while matching or improving on baseline quality.

Recommended usage priority:

  1. Highest ROI — public or partner-facing API breaking-change assessments
  2. Standard use — internal API full-surface reviews with multiple defects to catch
  3. Optional — minimal-context scenarios where the baseline already performs perfectly and the skill mainly contributes structural consistency