jbvc/frontend-security-coder
Expert in secure frontend coding practices specializing in XSS prevention, output sanitization, and client-side security patterns. Use PROACTIVELY for frontend security implementations or client-side security code reviews.
52
52%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
75%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description has a clear niche in frontend security and includes an explicit 'Use when' clause, which is a strength. However, it could be more specific in listing concrete actions and could include more natural trigger terms that users would actually say (e.g., 'cross-site scripting', 'HTML escaping', 'script injection'). The use of 'Expert in' as an opening is slightly fluffy but the rest is reasonably concrete.
Suggestions
Replace 'Expert in secure frontend coding practices specializing in' with concrete action verbs listing specific capabilities, e.g., 'Sanitizes HTML output, escapes user input, validates DOM manipulation, configures Content Security Policy headers.'
Expand trigger terms to include common user variations like 'cross-site scripting', 'script injection', 'HTML escaping', 'input sanitization', 'CSP headers', and '.js security'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (frontend security) and some actions (XSS prevention, output sanitization, security code reviews), but doesn't list multiple concrete granular actions like 'sanitize HTML output, escape user input, validate DOM manipulation, configure CSP headers'. | 2 / 3 |
Completeness | Clearly answers both 'what' (secure frontend coding practices, XSS prevention, output sanitization, client-side security patterns) and 'when' ('Use PROACTIVELY for frontend security implementations or client-side security code reviews'), with an explicit trigger clause. | 3 / 3 |
Trigger Term Quality | Includes some relevant terms like 'XSS', 'output sanitization', 'client-side security', and 'frontend security', but misses common user-facing variations like 'cross-site scripting', 'HTML escaping', 'input validation', 'CSP', 'Content Security Policy', or 'script injection'. | 2 / 3 |
Distinctiveness Conflict Risk | The focus on frontend/client-side security with specific mentions of XSS and output sanitization creates a clear niche that is unlikely to conflict with general coding skills, backend security skills, or generic code review skills. | 3 / 3 |
Total | 10 / 12 Passed |
Implementation
7%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads as a persona/role description rather than an actionable skill file. It extensively catalogs frontend security topics Claude already knows without providing any concrete code examples, specific implementation patterns, or executable guidance. The content would benefit enormously from replacing the capability lists with actual code snippets and specific workflows.
Suggestions
Replace the extensive capability bullet lists with concrete, executable code examples (e.g., a DOMPurify sanitization snippet, a CSP header configuration example, a secure redirect validation function).
Add a clear multi-step workflow with validation checkpoints for common tasks like implementing CSP (e.g., start with report-only mode, check violation reports, tighten policy, validate).
Move the detailed capability lists into the referenced 'resources/implementation-playbook.md' and keep SKILL.md focused on quick-start patterns and decision trees for when to apply which technique.
Remove sections that describe Claude's persona ('You are a frontend security coding expert...', 'Behavioral Traits', 'Knowledge Base') as these waste tokens on information that doesn't help Claude execute tasks.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose with extensive lists of capabilities, knowledge bases, and behavioral traits that Claude already knows. The content reads like a persona description rather than actionable instructions. Massive sections like 'Capabilities' with 10+ subsections of bullet points explain concepts Claude is already familiar with (e.g., what textContent vs innerHTML is, what CSP is). | 1 / 3 |
Actionability | No concrete code examples, no executable commands, no specific implementation patterns. Everything is described abstractly (e.g., 'DOMPurify integration' without showing how, 'nonce-based CSP' without a CSP header example). The 'Example Interactions' section lists prompts rather than actual input/output examples. | 1 / 3 |
Workflow Clarity | The 'Response Approach' section lists 9 high-level steps but they are vague and lack validation checkpoints. No feedback loops, no verification steps, no error recovery guidance. For security-critical operations like CSP deployment or sanitization, there are no testing or validation workflows. | 1 / 3 |
Progressive Disclosure | There is one reference to 'resources/implementation-playbook.md' for detailed examples, which is good. However, the main file is a monolithic wall of text with extensive inline content that could be split into separate reference files. The structure has headers but the content under each is just bullet-point lists rather than well-organized actionable sections. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
metadata_version | 'metadata.version' is missing | Warning |
Total | 10 / 11 Passed | |
Reviewed
Table of Contents