backend-security-coder
Expert in secure backend coding practices specializing in input validation, authentication, and API security. Use PROACTIVELY for backend security implementations or security code reviews.
51
Quality
44%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./.agent/skills/backend-security-coder/SKILL.mdQuality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description has good structure with explicit 'Use when' guidance, which is a strength. However, it relies on category names (input validation, authentication) rather than concrete actions, and the trigger terms could be expanded to include more natural user language variations. The security domain is clear but could conflict with other security-adjacent skills.
Suggestions
Replace category names with specific actions: 'Implements input sanitization, JWT/OAuth authentication flows, rate limiting, and CORS configuration' instead of listing general areas.
Add natural trigger term variations users would say: 'auth', 'login', 'SQL injection', 'XSS prevention', 'OWASP', 'secure endpoints', 'API keys'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (backend security) and lists some areas (input validation, authentication, API security), but these are categories rather than concrete actions like 'validates user input against injection attacks' or 'implements JWT token authentication'. | 2 / 3 |
Completeness | Clearly answers both what ('secure backend coding practices specializing in input validation, authentication, and API security') and when ('Use PROACTIVELY for backend security implementations or security code reviews') with explicit trigger guidance. | 3 / 3 |
Trigger Term Quality | Includes relevant terms like 'backend security', 'input validation', 'authentication', 'API security', and 'security code reviews', but missing common variations users might say like 'auth', 'login security', 'SQL injection', 'XSS', 'OWASP', or 'secure coding'. | 2 / 3 |
Distinctiveness Conflict Risk | The 'backend security' focus provides some distinction, but 'security code reviews' could overlap with general code review skills, and 'authentication' could conflict with identity/auth-specific skills. The scope is moderately specific but not uniquely carved out. | 2 / 3 |
Total | 9 / 12 Passed |
Implementation
22%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill functions primarily as an index to sub-skills rather than providing actionable security guidance itself. It lacks concrete code examples, specific commands, or executable workflows that would help Claude implement secure backend practices. The structure for progressive disclosure exists but the main file offers no immediate value without drilling into sub-skills.
Suggestions
Add a 'Quick Reference' section with 2-3 concrete, executable code examples for the most common security tasks (e.g., input validation, parameterized queries, secure password hashing)
Replace vague instructions ('Apply relevant best practices') with specific, actionable steps like 'For input validation: 1. Define schema, 2. Validate at boundary, 3. Reject invalid input with specific error'
Include a security implementation checklist with validation checkpoints for common workflows (e.g., 'Before deploying auth: verify password hashing uses bcrypt/argon2, confirm rate limiting is enabled')
Add at least one complete, copy-paste ready code snippet demonstrating a secure pattern (e.g., secure API endpoint with input validation and error handling)
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill contains some unnecessary boilerplate (generic 'When to Use' sections, redundant purpose statement) and explains the difference between this skill and security-auditor which may not be needed. However, it's not excessively verbose. | 2 / 3 |
Actionability | The skill provides no concrete code examples, commands, or executable guidance. It only lists topics and links to sub-skills without any actual implementation details or copy-paste ready content in the main file. | 1 / 3 |
Workflow Clarity | The instructions are vague ('Clarify goals', 'Apply relevant best practices') with no clear sequence, validation steps, or concrete workflow. For security-critical operations, this lack of explicit validation checkpoints is problematic. | 1 / 3 |
Progressive Disclosure | The skill does reference 10 sub-skills with clear links, which is good structure. However, the main file lacks a useful quick-start or overview of actual security practices - it's essentially just a table of contents with no actionable content at the top level. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
metadata_version | 'metadata.version' is missing | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Repository
- Dokhacgiakhoa/antigravity-ide
- Commit
3395991
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.