api-design Skill Evaluation Report¶
Method: skill-creator A/B testing Date: 2026-04-18 Subject:
skills/api-design/— REST API contract designer and reviewer
The api-design skill shows a striking pattern: the baseline performs near-perfectly on standard multi-defect reviews and minimal-context scenarios, but drops to just 66.7% on the breaking-change scenario (public API with 12 active partner integrations) — the largest single-scenario gap we've seen across all evaluated skills. The skill's Gate 3 STOP mechanism and the §8.7 Compatibility Assessment structure are responsible for most of the difference.
1. Skill Overview¶
Core files:
| File | Lines | Purpose |
|---|---|---|
SKILL.md | ~380 | Main framework: 4 Gates, 3 depths, 16-item checklist, 12-item scorecard, 9-section output contract |
references/error-model-patterns.md | ~180 | Standard/Deep: error envelope, idempotency keys, ETag, IDOR-safe 404 |
references/compatibility-rules.md | ~200 | Deep/breaking-change: compatibility matrix, Sunset protocol, multi-version coexistence, contract testing |
references/api-anti-examples.md | ~140 | Extended anti-examples AE-7 through AE-13 |
Key safety rules the skill enforces: - AE-1: Verbs in URLs (/createUser) break REST semantics and tooling - AE-2: HTTP 200 for errors tricks CDNs, clients, and monitoring - AE-3: Unstructured error messages force clients to string-match, which breaks on rewording - AE-5: Missing object-level authorization (IDOR) — OWASP API Security Top 1 - Breaking Change GUARDRAIL: Any field removal, rename, or type change on a public API must trigger Gate 3 STOP and require a migration plan before proceeding
2. Test Design¶
2.1 Scenarios¶
| # | Name | Context | Core challenge | Expected outcome |
|---|---|---|---|---|
| 1 | Multi-defect REST review | Internal order management API, React + iOS consumers | Verb URLs + 200-for-errors + IDOR + no idempotency | Critical 0/3, Scorecard FAIL |
| 2 | Public API breaking changes | v1 public API, 12 active partner integrations | 4 breaking changes with no versioning or migration plan | Gate 3 STOP, create v2 + 90-day deprecation window |
| 3 | Minimal context (degraded mode) | Payment API, no consumer type / public-vs-internal / SLA | No architecture context at all | Minimal mode declared, consumer type unknown flagged |
2.2 Assertion Matrix (24 total)¶
Scenario 1 — Multi-defect REST review (9 assertions)
| ID | Assertion | With Skill | Without Skill |
|---|---|---|---|
| A1 | Flags /createOrder and /cancelOrder as verb-in-URL violations (AE-1, Critical) | PASS | PASS |
| A2 | Flags HTTP 200 for error responses (AE-2, Critical) | PASS | PASS |
| A3 | Flags missing object-level auth on GET /orders/{id} (IDOR, OWASP #1, Critical) | PASS | PASS |
| A4 | Flags missing Idempotency-Key as a Standard defect (mobile retries = duplicate orders) | PASS | PASS |
| A5 | Recommends standard error envelope {error: {code, message, details[], trace_id}} | PASS | PASS |
| A6 | Recommends cursor-based pagination over offset (avoids data drift under concurrent writes) | PASS | PASS |
| A7 | Scores original API as Critical 0/3 on the scorecard | PASS | PASS |
| A8 | §8.9 Uncovered Risks uses the required 4-column table (Area | Reason | Impact | Follow-up) | PASS | PASS |
| A9 | Explicitly cross-references anti-example numbers (AE-1, AE-2, AE-5) | PASS | PARTIAL |
Scenario 1 result: With Skill 9/9, Without Skill 8.5/9 — the only gap is that the baseline mentions AE-5 once by accident but never systematically cites AE numbers.
Scenario 2 — Public API breaking changes (9 assertions)
| ID | Assertion | With Skill | Without Skill |
|---|---|---|---|
| B1 | Identifies phone_number removal as a breaking change | PASS | PASS |
| B2 | Identifies adding required billing_address as Critical breaking (all existing POSTs fail) | PASS | PASS |
| B3 | Identifies the error format change (string → object) as breaking (affects every error path) | PASS | PASS |
| B4 | Identifies renaming order_status → status as a breaking change | PASS | PASS |
| B5 | Recommends creating /api/v2/ with all changes while leaving v1 untouched | PASS | PASS |
| B6 | Recommends Deprecation + Sunset headers with a minimum 90-day window | PASS | PASS |
| B7 | Explicitly triggers Gate 3 STOP (UNSAFE — migration plan required before proceeding) | PASS | FAIL |
| B8 | §8.9 Uncovered Risks uses the required 4-column table | PASS | FAIL |
| B9 | Appends a Data basis: label after the scorecard | PASS | FAIL |
Scenario 2 result: With Skill 9/9, Without Skill 6/9 — three failures: Gate STOP framework, §8.9 table format, and Data basis label.
Scenario 3 — Minimal context, degraded mode (6 assertions)
| ID | Assertion | With Skill | Without Skill |
|---|---|---|---|
| C1 | Declares Minimal or Degraded mode | PASS | PASS |
| C2 | §8.9 includes "consumer type unknown" as a risk | PASS | PASS |
| C3 | §8.9 includes "public vs. internal unknown" as a risk | PASS | PASS |
| C4 | §8.9 uses the required 4-column table | PASS | PASS |
| C5 | Flags missing Idempotency-Key on POST /payments (financial — retries mean duplicate charges) | PASS | PASS |
| C6 | Appends Data basis: minimal label | PASS | PASS |
Scenario 3 result: With Skill 6/6, Without Skill 6/6 — no gap at all.
3. Pass Rate Summary¶
3.1 Overall¶
| Configuration | PASS | PARTIAL | FAIL | Strict pass rate |
|---|---|---|---|---|
| With Skill | 24/24 | 0 | 0 | 100% |
| Without Skill | 20/24 | 1 | 3 | 83.3% + 2.1% partial |
Delta: +14.6 percentage points (strict PASS)
3.2 By scenario¶
| Scenario | With Skill | Without Skill | Where points were lost |
|---|---|---|---|
| S1 Multi-defect review | 9/9 (100%) | 8.5/9 (94.4%) | A9: AE number cross-references |
| S2 Breaking changes | 9/9 (100%) | 6/9 (66.7%) | B7/B8/B9: Gate STOP + §8.9 format + Data basis |
| S3 Minimal context | 6/6 (100%) | 6/6 (100%) | No gap |
Why S2 is the outlier. A public API breaking-change assessment needs three things the baseline skipped entirely:
- Gate 3 STOP: the baseline went straight to narrative recommendations without formally classifying each change as UNSAFE and requiring a migration plan
- §8.9 table format: the baseline used freeform headers ("Compatibility Summary", "What Must Be Done") rather than the structured 4-column risk table
- Data basis label: simply absent in the baseline output
S1 performs well at baseline (94.4%) because REST anti-patterns are widely trained into the model. S3 is perfect at baseline for the same reason we've seen across previous skill evaluations.
4. Key Differences¶
4.1 Behaviors unique to the With-Skill group¶
| Behavior | Appears in | Source |
|---|---|---|
| Gate 3 STOP explicitly declared (UNSAFE → migration plan required) | S2 | §2 Mandatory Gates |
| Formal §8.1–§8.9 section numbering (including §8.7 Compatibility Assessment) | S1, S2, S3 | §8 Output Contract |
| AE number cross-references (AE-1, AE-2, AE-5) | S1 | §6 Anti-Examples |
| Per-change breaking/non-breaking classification with individual mitigation | S2 | §5.4 + compatibility-rules.md |
Data basis: label appended to every scorecard | S1, S2, S3 | §8 Scorecard contract |
4.2 Technical knowledge comparison¶
| Check | With Skill | Without Skill |
|---|---|---|
| All 4 breaking change types identified | PASS | PASS |
| Sunset protocol (90-day warning period) | PASS | PASS |
| v1/v2 coexistence strategy | PASS | PASS |
| IDOR: return 404 not 403 | PASS | PASS |
| Idempotency-Key for financial mutations | PASS | PASS |
| Gate 3 STOP explicitly triggered | PASS | FAIL |
| §8.7 per-change compatibility table | PASS | FAIL |
The baseline knows the domain well — Sunset headers, v2 migration, IDOR-safe 404, all come out correctly. The gap is purely about whether the structured framework is followed.
5. Token Cost Analysis¶
5.1 Skill context overhead¶
| Component | Lines | Estimated tokens | When loaded |
|---|---|---|---|
SKILL.md | ~380 | ~5,000 | Every request |
error-model-patterns.md | ~180 | ~2,300 | Standard/Deep |
compatibility-rules.md | ~200 | ~2,600 | Deep / breaking-change signal |
5.2 Actual token consumption¶
| Agent | Scenario | Total tokens | Tool calls | Output |
|---|---|---|---|---|
| Without Skill | S1 | 36,546 | 2 | Exploratory — all defects found |
| With Skill | S1 | 18,229 | 0 | Structured — AE references included |
| Without Skill | S2 | 14,053 | 0 | Narrative — no Gate/§8.9/Data basis |
| With Skill | S2 | 18,577 | 0 | Full §8.x structure + Gate STOP |
| Without Skill | S3 | 36,028 | 2 | Exploratory — matches skill quality |
| With Skill | S3 | 16,420 | 0 | Structured — Minimal mode declared |
5.3 Efficiency summary¶
| Metric | S1 | S2 (reversed) | S3 | Average |
|---|---|---|---|---|
| Without Skill tokens | 33,536 | 14,053 | 32,257 | 26,615 |
| With Skill tokens | 18,229 | 18,577 | 16,420 | 17,742 |
| Token change | −45.7% | +32.2% | −49.1% | −33.3% |
| Quality gain | +5.6 pp | +33.3 pp | 0 pp | +14.6 pp |
The S2 reversal is the most interesting finding in this evaluation. The Without-Skill agent spent only 14,053 tokens — the cheapest run in the entire evaluation — yet produced the lowest-quality output. The With-Skill agent spent 18,577 tokens and produced the highest quality gain (+33.3 pp).
This points to a principle worth stating explicitly: when the structured output is the value (a breaking-change assessment is only useful if every change is classified individually and traceable), token cost going up is fine. The extra ~4,500 tokens bought the Gate 3 STOP, the §8.7 compatibility table, and the Data basis label — all three of which the baseline skipped entirely.
For S1 and S3, the skill saves about 47% of tokens while matching or exceeding baseline quality, so the overall average is still a 33% saving.
6. Weighted Scores¶
6.1 Dimension scores (out of 5)¶
| Dimension | With Skill | Without Skill | Gap |
|---|---|---|---|
| Critical defect detection | 5.0 | 4.8 | +0.2 |
| API contract output structure (§8.x compliance) | 5.0 | 3.5 | +1.5 |
| Breaking-change assessment framework (Gate + §8.7) | 5.0 | 3.0 | +2.0 |
| Error model design (envelope, status codes, IDOR-safe 404) | 5.0 | 4.5 | +0.5 |
| Degraded mode handling (minimal context) | 5.0 | 4.5 | +0.5 |
| Anti-pattern framework references (AE numbers, Gates) | 5.0 | 3.5 | +1.5 |
6.2 Weighted total (out of 10)¶
| Dimension | Weight | With Skill | Without Skill | Notes |
|---|---|---|---|---|
| Critical defect detection | 25% | 10.0 | 9.5 | Both find IDOR/AE-1/AE-2; baseline's IDOR explanation is slightly shallower |
| API contract output structure | 20% | 10.0 | 7.0 | With Skill: 100% §8.x compliant; baseline: no §8.9 table in S2 |
| Breaking-change framework | 20% | 10.0 | 6.0 | Gate 3 STOP + §8.7 table: completely absent in baseline |
| Error model design | 15% | 10.0 | 9.0 | Both recommend the standard envelope; skill adds metric/audit fields |
| Degraded mode handling | 10% | 10.0 | 9.0 | S3 both perfect; skill's §8.9 risk list is more complete (12 vs 8 items) |
| Anti-pattern references | 10% | 10.0 | 7.0 | Skill: systematic AE citations; baseline: occasional accidental mention |
| Weighted total | 100% | 10.00/10 | 7.95/10 | — |
7. Findings and Recommendations¶
Finding 1: Breaking-change assessment is where the skill adds the most value¶
Unlike the migration and caching skills — where the quality gap is fairly uniform across scenarios — api-design has an uneven distribution:
| Scenario type | Baseline quality | Where the skill helps |
|---|---|---|
| Standard multi-defect review (S1) | 94.4% | Marginal — mainly AE references and §8.x formatting |
| Public API breaking changes (S2) | 66.7% | Critical — Gate STOP, per-change classification, migration timeline |
| Minimal context (S3) | 100% | None — baseline already perfect |
If your team manages a public API with external partners, the skill's ROI is substantially higher than for internal API reviews.
Finding 2: "Framework overhead = value" for structured assessments¶
In S2, the baseline chose to give a concise narrative (14,053 tokens, lowest in the test) and missed all three framework-specific behaviors. This illustrates a general pattern:
A structured framework doesn't just impose a format — it forces a thinking process. Gate 3's STOP condition compels the reviewer to classify every change before offering any recommendations. Without it, a capable model will jump straight to "here's what to do" and skip the classification entirely.
Finding 3: Comparison across evaluated skills¶
| Skill | Baseline quality | Delta | Token effect | Pattern |
|---|---|---|---|---|
| mysql-migration | 52% | +48 pp | +51% overhead | Knowledge injection |
| pg-migration | 87% | +13 pp | −46% savings | Structure + efficiency |
| mongo-migration | 87.5% | +12.5 pp | −29% savings | S3 anomaly |
| redis-cache-strategy | 89.6% | +10.4 pp | −49.7% savings | Most stable |
| api-design | 85.4% | +14.6 pp | −33.3% savings | Most uneven by scenario |
api-design has the most scenario-to-scenario variation of any evaluated skill. Basic REST design knowledge (plural nouns, 4xx status codes, IDOR awareness) is thoroughly trained into the model. Public API versioning and breaking-change governance are not — at least not at the level of structured, traceable, gate-controlled analysis.
Improvement suggestions¶
-
Make compatibility-rules.md trigger earlier: currently it only loads at Deep depth, but any request mentioning "breaking", "deprecation", or "versioning" should load it regardless of depth. This would prevent the S2 scenario from slipping through without the full framework.
-
Add a multi-breaking-change golden fixture: the existing API-006 tests a single breaking change. There is no fixture testing Gate 3 STOP when multiple breaking changes appear simultaneously. This is a coverage gap given how common that situation is.
-
Add a webhook API fixture: webhooks appear in the consumer type list but have no dedicated golden scenario (noted as Medium priority in COVERAGE.md).
8. Conclusion¶
Rating: Production-ready. Highest ROI when used for public API and partner integration scenarios.
Three things the skill does well:
-
Breaking-change governance: the Gate 3 STOP mechanism and §8.7 Compatibility Assessment add 33.3 percentage points of quality in the scenario that matters most — public API changes with active integrations. This is the largest single-scenario gain across all skills evaluated so far.
-
Auditable output: the §8.1–§8.9 section structure makes every API review traceable. For compliance-sensitive contexts (partner SLAs, external contracts), a structured scorecard with a
Data basis:label is more than a formatting preference — it's a record. -
Efficient for standard reviews: S1 and S3 save around 47% of tokens while matching or improving on baseline quality.
Recommended usage priority:
- Highest ROI — public or partner-facing API breaking-change assessments
- Standard use — internal API full-surface reviews with multiple defects to catch
- Optional — minimal-context scenarios where the baseline already performs perfectly and the skill mainly contributes structural consistency