jbvc/security-review
Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns.
55
69%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Quality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description has good trigger term coverage and explicitly addresses both 'what' and 'when', which are its main strengths. However, the 'what' portion is vague ('provides comprehensive security checklist and patterns') rather than listing specific concrete actions. The description also uses second-person framing ('Use this skill when') which is acceptable for trigger guidance, but the capability statement could be more specific about what security patterns and checks are actually performed.
Suggestions
Replace 'Provides comprehensive security checklist and patterns' with specific actions like 'Validates input sanitization, enforces authentication best practices, audits secret management, and reviews API endpoint security'.
Add more distinctive security-specific trigger terms like 'OWASP', 'XSS', 'SQL injection', 'CSRF', 'encryption', or 'authorization' to reduce overlap with general API/web development skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (security) and lists several areas (authentication, secrets, API endpoints, payment features), but the actual actions are vague — 'Provides comprehensive security checklist and patterns' doesn't describe concrete actions like 'validates input against injection attacks' or 'encrypts secrets at rest'. | 2 / 3 |
Completeness | Explicitly answers both 'when' ('Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features') and 'what' ('Provides comprehensive security checklist and patterns'). The 'Use when' clause is present and clear. | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms users would actually say: 'authentication', 'user input', 'secrets', 'API endpoints', 'payment', 'sensitive features'. These cover a good range of common security-related queries. | 3 / 3 |
Distinctiveness Conflict Risk | While security is a recognizable niche, terms like 'handling user input' and 'creating API endpoints' could overlap with general web development or API design skills. The security focus helps but the broad scope creates some conflict risk. | 2 / 3 |
Total | 10 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is a comprehensive security reference with excellent, executable code examples across many domains, but it suffers significantly from verbosity and poor progressive disclosure. At 400+ lines, it consumes excessive context window for concepts Claude already knows well. The content would be far more effective as a concise checklist overview with detailed sections split into separate bundle files.
Suggestions
Reduce the SKILL.md to a concise overview (~50-80 lines) with the pre-deployment checklist and brief one-liner guidance per topic, moving detailed code examples into separate bundle files (e.g., auth-patterns.md, input-validation.md, xss-prevention.md).
Remove explanations of basic security concepts Claude already knows (e.g., what SQL injection is, why XSS is dangerous) and focus only on project-specific patterns and tool choices.
Add a clear workflow sequence: when during development each security check should be applied, with explicit feedback loops (e.g., 'run npm audit -> if vulnerabilities found -> fix -> re-audit before proceeding').
Remove the blockchain/Solana section or make it conditional — it's highly domain-specific and wastes tokens for the majority of projects that don't involve blockchain.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at ~400+ lines. Explains well-known security concepts Claude already understands (what SQL injection is, what XSS is, what CSRF is). Many sections are textbook-level explanations rather than project-specific guidance. The ❌/✅ pattern pairs, while clear, are redundant for Claude who already knows these anti-patterns. | 1 / 3 |
Actionability | Every section provides fully executable TypeScript/SQL/bash code examples that are copy-paste ready. Concrete validation schemas, middleware configurations, cookie settings, CSP headers, and test examples are all provided with specific libraries and patterns. | 3 / 3 |
Workflow Clarity | The checklists provide good verification steps per section, and the pre-deployment checklist is comprehensive. However, there's no clear sequencing of when to apply which checks during development, no feedback loops for when checks fail, and no prioritization guidance. It reads as a reference list rather than a workflow. | 2 / 3 |
Progressive Disclosure | Monolithic wall of text with all 10 security domains fully inlined. No bundle files exist to offload detailed sections. Content like blockchain security, file upload validation, and CSP configuration could easily be split into separate reference files, with the SKILL.md serving as a concise overview with pointers. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
Reviewed
Table of Contents