Name: cisco/software-security
Rating: 82.8 (1 reviews)
Author: cisco

cisco/software-security

A software security skill that integrates with Project CodeGuard to help AI coding agents write secure code and prevent common vulnerabilities. Use this skill when writing, reviewing, or modifying code to ensure secure-by-default practices are followed.

1.78x

Quality

82%

Does it follow best practices?

Impact

84%

1.78x

Average score across 5 eval scenarios

Securityby

Passed

No known issues

Quality

Content

87%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a well-crafted security skill that efficiently communicates when to apply security rules and provides concrete, executable examples. The progressive disclosure is excellent with clear references to detailed rule files. The main weakness is the workflow section, which outlines steps but lacks explicit validation checkpoints or feedback loops for handling discovered security issues.

Suggestions

Add explicit validation/feedback loop to the Security Review phase (e.g., 'If issues found: fix and re-review before committing')

Consider adding a brief checklist format to the Security Review step to make verification more actionable

Dimension	Reasoning	Score
Conciseness	The skill is lean and efficient, avoiding explanations of basic concepts Claude already knows. Every section serves a clear purpose with no padding or unnecessary context.	3 / 3
Actionability	Provides fully executable Python code examples showing both insecure and secure patterns. The examples are copy-paste ready and cover credential handling, SQL injection, and password storage.	3 / 3
Workflow Clarity	The three-phase workflow (Initial Security Check, Code Generation, Security Review) provides clear sequencing, but lacks explicit validation checkpoints or feedback loops for error recovery when security issues are found.	2 / 3
Progressive Disclosure	Excellent structure with clear overview, well-signaled one-level-deep references to rule files (LANGUAGE_RULES.md, specific rule files), and appropriate content splitting between the main skill and detailed rules.	3 / 3
	Total	11 / 12 Passed

Description

67%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This description has a solid structure with explicit 'Use when' guidance, making it complete. However, it lacks specific concrete actions (what exactly does it do beyond 'write secure code'?) and could benefit from more natural trigger terms that users would actually say when encountering security issues. The integration with 'Project CodeGuard' is mentioned but not explained.

Suggestions

Add specific concrete actions like 'detect SQL injection vulnerabilities', 'implement secure password hashing', 'validate and sanitize user input', or 'review authentication flows'

Expand trigger terms to include common security vocabulary users would naturally use: 'XSS', 'CSRF', 'injection', 'OWASP', 'secure coding', 'penetration testing', 'input validation'

Dimension	Reasoning	Score
Specificity	Names the domain (software security) and mentions some actions like 'write secure code' and 'prevent common vulnerabilities', but lacks specific concrete actions. The examples given (authentication, cryptography, data handling) are categories rather than specific actions like 'validate input', 'encrypt passwords', or 'sanitize SQL queries'.	2 / 3
Completeness	Clearly answers both what ('integrates with Project CodeGuard to help AI coding agents write secure code and prevent common vulnerabilities') and when ('Use this skill when security concerns are mentioned, when reviewing code for vulnerabilities, or when implementing authentication, cryptography, or data handling').	3 / 3
Trigger Term Quality	Includes some relevant keywords like 'security', 'vulnerabilities', 'authentication', 'cryptography', and 'data handling'. However, missing common variations users might say like 'secure', 'XSS', 'SQL injection', 'OWASP', 'password hashing', 'encryption', or 'input validation'.	2 / 3
Distinctiveness Conflict Risk	The security focus provides some distinctiveness, but 'reviewing code' could overlap with general code review skills, and 'data handling' is quite broad. The mention of 'Project CodeGuard' adds specificity, but the general security framing could still conflict with other security-related skills.	2 / 3
	Total	9 / 12 Passed

Validation

81%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 13 / 16 Passed

Validation for skill structure

Criteria	Description	Result
description_trigger_hint	Description may be missing an explicit 'when to use' trigger hint (e.g., 'Use when...')	Warning
body_output_format	No obvious output/return/format terms detected; consider specifying expected outputs	Warning
body_steps	No step-by-step structure detected (no ordered list); consider adding a simple workflow	Warning

	Total	13 / 16 Passed

Reviewed

4 months ago

Table of Contents

Discovery Implementation Validation