cisco/software-security
A software security skill that integrates with Project CodeGuard to help AI coding agents write secure code and prevent common vulnerabilities. Use this skill when writing, reviewing, or modifying code to ensure secure-by-default practices are followed.
84
Does it follow best practices?
Evaluation — 84%
↑ 1.78xAgent success when using this tile
Validation for skill structure
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description has a solid structure with explicit 'Use when' guidance, making it complete. However, it lacks specific concrete actions (what exactly does it do beyond 'write secure code'?) and could benefit from more natural trigger terms that users would actually say when encountering security issues. The integration with 'Project CodeGuard' is mentioned but not explained.
Suggestions
Add specific concrete actions like 'detect SQL injection vulnerabilities', 'implement secure password hashing', 'validate and sanitize user input', or 'review authentication flows'
Expand trigger terms to include common security vocabulary users would naturally use: 'XSS', 'CSRF', 'injection', 'OWASP', 'secure coding', 'penetration testing', 'input validation'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (software security) and mentions some actions like 'write secure code' and 'prevent common vulnerabilities', but lacks specific concrete actions. The examples given (authentication, cryptography, data handling) are categories rather than specific actions like 'validate input', 'encrypt passwords', or 'sanitize SQL queries'. | 2 / 3 |
Completeness | Clearly answers both what ('integrates with Project CodeGuard to help AI coding agents write secure code and prevent common vulnerabilities') and when ('Use this skill when security concerns are mentioned, when reviewing code for vulnerabilities, or when implementing authentication, cryptography, or data handling'). | 3 / 3 |
Trigger Term Quality | Includes some relevant keywords like 'security', 'vulnerabilities', 'authentication', 'cryptography', and 'data handling'. However, missing common variations users might say like 'secure', 'XSS', 'SQL injection', 'OWASP', 'password hashing', 'encryption', or 'input validation'. | 2 / 3 |
Distinctiveness Conflict Risk | The security focus provides some distinctiveness, but 'reviewing code' could overlap with general code review skills, and 'data handling' is quite broad. The mention of 'Project CodeGuard' adds specificity, but the general security framing could still conflict with other security-related skills. | 2 / 3 |
Total | 9 / 12 Passed |
Implementation
87%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-crafted security skill that efficiently communicates when to apply security rules and provides concrete, executable examples. The progressive disclosure is excellent with clear references to detailed rule files. The main weakness is the workflow section, which outlines steps but lacks explicit validation checkpoints or feedback loops for handling discovered security issues.
Suggestions
Add explicit validation/feedback loop to the Security Review phase (e.g., 'If issues found: fix and re-review before committing')
Consider adding a brief checklist format to the Security Review step to make verification more actionable
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is lean and efficient, avoiding explanations of basic concepts Claude already knows. Every section serves a clear purpose with no padding or unnecessary context. | 3 / 3 |
Actionability | Provides fully executable Python code examples showing both insecure and secure patterns. The examples are copy-paste ready and cover credential handling, SQL injection, and password storage. | 3 / 3 |
Workflow Clarity | The three-phase workflow (Initial Security Check, Code Generation, Security Review) provides clear sequencing, but lacks explicit validation checkpoints or feedback loops for error recovery when security issues are found. | 2 / 3 |
Progressive Disclosure | Excellent structure with clear overview, well-signaled one-level-deep references to rule files (LANGUAGE_RULES.md, specific rule files), and appropriate content splitting between the main skill and detailed rules. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 13 / 16 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
description_trigger_hint | Description may be missing an explicit 'when to use' trigger hint (e.g., 'Use when...') | Warning |
body_output_format | No obvious output/return/format terms detected; consider specifying expected outputs | Warning |
body_steps | No step-by-step structure detected (no ordered list); consider adding a simple workflow | Warning |
Total | 13 / 16 Passed | |
Install with Tessl CLI
npx tessl i cisco/software-securityReviewed
Table of Contents