Name: jbvc/frontend-security-coder
Rating: 41.6 (1 reviews)
Author: jbvc

jbvc/frontend-security-coder

Expert in secure frontend coding practices specializing in XSS prevention, output sanitization, and client-side security patterns. Use PROACTIVELY for frontend security implementations or client-side security code reviews.

Quality

52%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Passed

No known issues

Quality

Content

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This skill reads as a persona/role description rather than an actionable skill file. It extensively catalogs frontend security topics Claude already knows without providing any concrete code examples, specific implementation patterns, or executable guidance. The content would benefit enormously from replacing the capability lists with actual code snippets and specific workflows.

Suggestions

Replace the extensive capability bullet lists with concrete, executable code examples (e.g., a DOMPurify sanitization snippet, a CSP header configuration example, a secure redirect validation function).

Add a clear multi-step workflow with validation checkpoints for common tasks like implementing CSP (e.g., start with report-only mode, check violation reports, tighten policy, validate).

Move the detailed capability lists into the referenced 'resources/implementation-playbook.md' and keep SKILL.md focused on quick-start patterns and decision trees for when to apply which technique.

Remove sections that describe Claude's persona ('You are a frontend security coding expert...', 'Behavioral Traits', 'Knowledge Base') as these waste tokens on information that doesn't help Claude execute tasks.

Dimension	Reasoning	Score
Conciseness	Extremely verbose with extensive lists of capabilities, knowledge bases, and behavioral traits that Claude already knows. The content reads like a persona description rather than actionable instructions. Massive sections like 'Capabilities' with 10+ subsections of bullet points explain concepts Claude is already familiar with (e.g., what textContent vs innerHTML is, what CSP is).	1 / 3
Actionability	No concrete code examples, no executable commands, no specific implementation patterns. Everything is described abstractly (e.g., 'DOMPurify integration' without showing how, 'nonce-based CSP' without a CSP header example). The 'Example Interactions' section lists prompts rather than actual input/output examples.	1 / 3
Workflow Clarity	The 'Response Approach' section lists 9 high-level steps but they are vague and lack validation checkpoints. No feedback loops, no verification steps, no error recovery guidance. For security-critical operations like CSP deployment or sanitization, there are no testing or validation workflows.	1 / 3
Progressive Disclosure	There is one reference to 'resources/implementation-playbook.md' for detailed examples, which is good. However, the main file is a monolithic wall of text with extensive inline content that could be split into separate reference files. The structure has headers but the content under each is just bullet-point lists rather than well-organized actionable sections.	2 / 3
	Total	5 / 12 Passed

Description

75%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description has a clear niche in frontend security and includes an explicit 'Use when' clause, which is a strength. However, it could be more specific in listing concrete actions and could include more natural trigger terms that users would actually say (e.g., 'cross-site scripting', 'HTML escaping', 'script injection'). The use of 'Expert in' as an opening is slightly fluffy but the rest is reasonably concrete.

Suggestions

Replace 'Expert in secure frontend coding practices specializing in' with concrete action verbs listing specific capabilities, e.g., 'Sanitizes HTML output, escapes user input, validates DOM manipulation, configures Content Security Policy headers.'

Expand trigger terms to include common user variations like 'cross-site scripting', 'script injection', 'HTML escaping', 'input sanitization', 'CSP headers', and '.js security'.

Dimension	Reasoning	Score
Specificity	Names the domain (frontend security) and some actions (XSS prevention, output sanitization, security code reviews), but doesn't list multiple concrete granular actions like 'sanitize HTML output, escape user input, validate DOM manipulation, configure CSP headers'.	2 / 3
Completeness	Clearly answers both 'what' (secure frontend coding practices, XSS prevention, output sanitization, client-side security patterns) and 'when' ('Use PROACTIVELY for frontend security implementations or client-side security code reviews'), with an explicit trigger clause.	3 / 3
Trigger Term Quality	Includes some relevant terms like 'XSS', 'output sanitization', 'client-side security', and 'frontend security', but misses common user-facing variations like 'cross-site scripting', 'HTML escaping', 'input validation', 'CSP', 'Content Security Policy', or 'script injection'.	2 / 3
Distinctiveness Conflict Risk	The focus on frontend/client-side security with specific mentions of XSS and output sanitization creates a clear niche that is unlikely to conflict with general coding skills, backend security skills, or generic code review skills.	3 / 3
	Total	10 / 12 Passed

Validation

90%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 10 / 11 Passed

Validation for skill structure

Criteria	Description	Result
metadata_version	'metadata.version' is missing	Warning

	Total	10 / 11 Passed

Reviewed

3 months ago

Table of Contents

Discovery Implementation Validation