product-factory/security
Apply this skill when writing or reviewing any code that touches user input, authentication, database access, API routes, server actions, middleware, environment variables, or external data in a Next.js + TypeScript + Drizzle application. Triggers on requests like "add authentication", "handle user input", "create an API route", "store this in the database", "handle file uploads", "add permissions", "is this safe", or any feature that involves data flowing in from outside the application. Use proactively — security decisions must not be deferred.
80
Quality
80%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Discovery
72%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description excels at defining when to use the skill with comprehensive trigger terms and clear context boundaries, but fails to explain what the skill actually does. The 'when' guidance is exemplary, but without knowing the concrete actions (security review, vulnerability detection, secure code generation, etc.), Claude cannot fully understand the skill's purpose.
Suggestions
Add concrete actions at the beginning describing what the skill does, e.g., 'Reviews code for security vulnerabilities, implements secure authentication patterns, validates and sanitizes user input, and enforces authorization checks.'
Restructure to lead with capabilities before the trigger conditions: start with 'what it does' then follow with 'Apply when...'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (security in Next.js + TypeScript + Drizzle) and lists areas of concern (user input, authentication, database access, API routes, etc.), but doesn't describe concrete actions the skill performs - it focuses on when to apply rather than what specific actions it takes. | 2 / 3 |
Completeness | The 'when' is exceptionally well-defined with explicit triggers and contexts, but the 'what' is weak - it says to 'apply this skill' but never explains what the skill actually does (e.g., 'Reviews code for vulnerabilities', 'Implements secure patterns', 'Adds input validation'). | 2 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms users would say: 'add authentication', 'handle user input', 'create an API route', 'store this in the database', 'handle file uploads', 'add permissions', 'is this safe'. These are realistic phrases users would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Clear niche focused on security concerns specifically within Next.js + TypeScript + Drizzle stack. The combination of security focus with this specific tech stack and the detailed trigger scenarios makes it unlikely to conflict with general coding or other framework skills. | 3 / 3 |
Total | 10 / 12 Passed |
Implementation
79%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong, actionable security skill with excellent code examples and clear anti-patterns. The content is appropriately concise and assumes Claude's competence. The main weaknesses are the lack of an explicit security review workflow/checklist and the monolithic structure that could benefit from progressive disclosure to separate reference files.
Suggestions
Add a 'Security Review Checklist' section with explicit validation steps before deployment (e.g., '1. Verify all Server Actions check session, 2. Run pnpm audit, 3. Confirm no NEXT_PUBLIC_ secrets')
Consider splitting detailed topics (CSP configuration, rate limiting setup, env validation) into linked reference files to reduce the main skill's length
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is lean and efficient, assuming Claude's competence with TypeScript, Next.js, and security concepts. No unnecessary explanations of what XSS or SQL injection are—just actionable patterns and anti-patterns. | 3 / 3 |
Actionability | Every section provides executable, copy-paste ready code examples with clear ✅/❌ patterns. The middleware, Zod schemas, rate limiting, and env validation examples are all complete and immediately usable. | 3 / 3 |
Workflow Clarity | While individual security patterns are clear, there's no explicit workflow for security review or validation checkpoints. For a skill covering destructive/sensitive operations like auth and data handling, a checklist or 'before deploying' validation sequence would strengthen this. | 2 / 3 |
Progressive Disclosure | Content is well-organized with clear section headers, but it's a monolithic document (~200 lines) with no references to external files for deeper dives. Topics like rate limiting or CSP configuration could link to dedicated reference files. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
Install with Tessl CLI
npx tessl i product-factory/security@0.2.0Reviewed
Table of Contents