backend-security-coder

Expert in secure backend coding practices specializing in input validation, authentication, and API security. Use PROACTIVELY for backend security implementations or security code reviews.

Quality

37%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Passed

No known issues

Optimize this skill with Tessl

npx tessl skill review --optimize ./.agent/skills/backend-security-coder/SKILL.md

Quality

Content

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This skill is essentially a table of contents with no substantive content. It lacks any concrete code examples, specific security patterns, executable guidance, or clear workflows. The main file delegates everything to sub-skill files that aren't provided, while filling space with redundant descriptions and generic instructions that don't leverage Claude's existing knowledge.

Suggestions

Add at least 3-5 concrete, executable code examples of common security patterns (e.g., input validation, parameterized queries, JWT verification) directly in the main SKILL.md so it provides immediate value.

Replace the generic instructions ('Apply relevant best practices and validate outcomes') with specific, sequenced workflows for common tasks like 'securing an API endpoint' or 'implementing authentication', including validation checkpoints.

Remove redundant sections (duplicate purpose statements, when-to-use/not-use boilerplate, the empty 'Capabilities' header) to improve conciseness.

Add brief summaries next to each sub-skill link describing what specific guidance each contains, so the main file serves as a useful overview rather than just a link list.

Dimension	Reasoning	Score
Conciseness	The content is verbose and redundant. It explains when to use/not use the skill in generic terms, restates the purpose multiple times, explains the difference between this skill and a security auditor (context Claude doesn't need), and includes a 'Purpose' section that largely repeats the description. The 'Capabilities' header is empty. Much of this is padding that doesn't add actionable value.	1 / 3
Actionability	There is no concrete code, no executable examples, no specific commands, and no actionable security patterns. The instructions are entirely abstract ('Apply relevant best practices and validate outcomes'). The skill delegates everything to sub-skill files without providing any immediately usable guidance in the main file.	1 / 3
Workflow Clarity	There is no clear workflow or sequenced process. The four bullet points under 'Instructions' are generic platitudes ('Clarify goals, constraints, and required inputs') with no specific steps, validation checkpoints, or feedback loops for security-critical operations.	1 / 3
Progressive Disclosure	The skill does reference 10 sub-skill files and a resources/implementation-playbook.md, which shows an attempt at progressive disclosure with one-level-deep references. However, no bundle files were provided to verify these exist, the main file contains almost no substantive content of its own, and the 'Capabilities' section is just a list of links with no overview content to orient the reader.	2 / 3
	Total	5 / 12 Passed

Description

67%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description has a solid structure with both 'what' and 'when' clauses clearly stated, which is its strongest aspect. However, it operates at a category level rather than listing specific concrete actions, and the trigger terms could be expanded to cover more natural user language around security concerns. The domain is somewhat distinct but broad enough to risk overlap with adjacent skills.

Suggestions

Add more specific concrete actions like 'sanitize user inputs against SQL injection and XSS, implement JWT/OAuth authentication flows, configure rate limiting and CORS policies'.

Expand trigger terms to include natural user phrases like 'SQL injection', 'XSS', 'CSRF protection', 'password hashing', 'OAuth', 'vulnerability', 'sanitize inputs', or 'secure endpoint'.

Dimension	Reasoning	Score
Specificity	Names the domain (backend security) and some actions (input validation, authentication, API security, security code reviews), but these are more like categories than concrete actions. It doesn't list specific tasks like 'sanitize SQL queries, implement JWT token validation, configure CORS headers'.	2 / 3
Completeness	Clearly answers both 'what' (secure backend coding practices specializing in input validation, authentication, and API security) and 'when' (Use PROACTIVELY for backend security implementations or security code reviews), with an explicit trigger clause.	3 / 3
Trigger Term Quality	Includes some relevant keywords like 'input validation', 'authentication', 'API security', and 'security code reviews', but misses many natural user terms like 'SQL injection', 'XSS', 'CSRF', 'authorization', 'password hashing', 'OAuth', 'sanitization', or 'vulnerability'.	2 / 3
Distinctiveness Conflict Risk	The focus on 'backend security' provides some distinctiveness, but terms like 'authentication' and 'API security' could overlap with general API development skills or authentication-specific skills. The scope is broad enough to potentially conflict with other security-related or backend development skills.	2 / 3
	Total	9 / 12 Passed

Validation

81%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 9 / 11 Passed

Validation for skill structure

Criteria	Description	Result
metadata_version	'metadata.version' is missing	Warning
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning

	Total	9 / 11 Passed

Repository: Dokhacgiakhoa/antigravity-ide
Commit: 061c4c6

Reviewed: 2 days ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.