common-owasp
OWASP Top 10 audit checklists for Web Applications (2021), APIs (2023), and Mobile (2024). Use when performing any security review, PR review, or codebase audit touching web, mobile, or API code.
71
88%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Quality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a solid description with explicit 'Use when' triggers and good natural keywords covering security review scenarios. Its main weakness is that it describes the skill as 'audit checklists' without detailing the concrete actions performed (e.g., checking for specific vulnerability categories, generating reports, flagging issues). The specificity of capabilities could be improved by listing what the skill actually does with those checklists.
Suggestions
Add concrete actions the skill performs, e.g., 'Checks code against OWASP Top 10 vulnerability categories including injection, broken authentication, and security misconfigurations' to improve specificity.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (OWASP Top 10 audit checklists) and specifies the three standards covered (Web 2021, APIs 2023, Mobile 2024), but doesn't list concrete actions beyond 'audit checklists' — it doesn't describe what the skill actually does with those checklists (e.g., checks for injection flaws, validates authentication, flags insecure configurations). | 2 / 3 |
Completeness | Clearly answers both 'what' (OWASP Top 10 audit checklists for three domains with specific years) and 'when' (explicit 'Use when performing any security review, PR review, or codebase audit touching web, mobile, or API code'). | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms users would say: 'security review', 'PR review', 'codebase audit', 'web', 'mobile', 'API', and 'OWASP'. These cover a good range of how users would naturally phrase security-related requests. | 3 / 3 |
Distinctiveness Conflict Risk | The focus on OWASP Top 10 security audit checklists with specific standard versions creates a clear niche. The combination of security auditing with specific OWASP standards is unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
87%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong, well-structured security checklist skill. It excels at conciseness and actionability by providing dense, specific detection signals in tabular format without unnecessary explanation. The main weakness is the lack of an explicit audit workflow with validation/verification steps — it tells Claude what to look for but not how to systematically conduct and conclude an audit.
Suggestions
Add a brief step-by-step audit workflow (e.g., 1. Identify scope → 2. Run checklist → 3. Triage findings by priority → 4. Verify fixes → 5. Produce summary) to improve workflow clarity.
Include a feedback loop for post-remediation: after flagging 🔴 findings, specify that Claude should re-check those items after fixes are applied before marking the audit complete.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Every line earns its place. No explanations of what OWASP is, no tutorial-style padding. The tables are dense with actionable detection signals, and the always-apply rules are crisp one-liners with concrete anti-patterns. | 3 / 3 |
Actionability | Highly actionable: each checklist item includes a specific detection signal (e.g., `findById(params.id)` without owner filter, `SharedPreferences` for tokens, CORS `*`). The always-apply rules give concrete patterns to flag. The ✅/⚠️/🔴 marking system provides a clear audit methodology. | 3 / 3 |
Workflow Clarity | The skill distinguishes between 'always-apply' and 'context-specific' modes and provides a marking system, but lacks an explicit step-by-step audit workflow with validation checkpoints. There's no feedback loop for what to do after findings are identified (e.g., re-audit after fixes, escalation process, how to produce a final report). | 2 / 3 |
Progressive Disclosure | Excellent structure: concise overview tables in the main file with clear one-level-deep references to three detailed files (owasp-web.md, owasp-api.md, owasp-mobile.md). Navigation is well-signaled both inline and in a dedicated References section. Note: bundle files weren't provided, but the referenced paths are consistent and clearly structured. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
metadata_version | 'metadata.version' is missing | Warning |
metadata_field | 'metadata' should map string keys to string values | Warning |
Total | 9 / 11 Passed | |
- Repository
- HoangNguyen0403/agent-skills-standard
- Commit
3df717f
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.