common-owasp
OWASP Top 10 audit checklist for Web Applications (2021) and APIs (2023). Use when performing any security review, PR review, or codebase audit touching web, mobile backend, or API code.
88
87%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a solid description with excellent completeness and trigger term coverage. It clearly identifies its niche (OWASP security auditing) and provides explicit 'Use when' guidance with natural trigger terms. The main weakness is that it could be more specific about the concrete actions it performs beyond being a 'checklist'.
Suggestions
Add specific concrete actions to improve specificity, e.g., 'Checks for injection vulnerabilities, broken authentication, access control issues, security misconfigurations, and other OWASP Top 10 categories.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (OWASP Top 10 for Web Applications and APIs) and the general action (audit checklist), but does not list specific concrete actions like 'check for injection vulnerabilities, validate authentication flows, review access controls'. | 2 / 3 |
Completeness | Clearly answers both 'what' (OWASP Top 10 audit checklist for Web Applications 2021 and APIs 2023) and 'when' (explicitly states 'Use when performing any security review, PR review, or codebase audit touching web, mobile backend, or API code'). | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms users would say: 'security review', 'PR review', 'codebase audit', 'web', 'API', 'OWASP', 'mobile backend'. These cover a good range of how users would naturally phrase security-related requests. | 3 / 3 |
Distinctiveness Conflict Risk | Clearly scoped to OWASP Top 10 security auditing for web and API code, which is a distinct niche. The combination of 'OWASP', 'security review', and 'audit checklist' makes it unlikely to conflict with general code review or other non-security skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
85%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured, concise security checklist that efficiently uses tables for dense information delivery and clearly separates always-apply rules from audit-specific checks. Progressive disclosure is excellent with clear references to detailed files. The main gap is the lack of concrete code examples showing correct patterns (not just anti-patterns), which limits actionability for implementation guidance.
Suggestions
Add 1-2 brief code snippets showing the correct pattern alongside the anti-pattern for the most critical always-apply rules (e.g., show the correct owner-filtered query next to the IDOR anti-pattern)
Consider adding a small 'fix pattern' column or inline code to the tables for the highest-priority items (A01/API1, A03) to make the checklist more actionable for remediation
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Every line earns its place. The tables are dense with actionable detection signals, the always-apply rules are terse and specific, and there's no explanation of what OWASP is or how security works — it assumes Claude's competence throughout. | 3 / 3 |
Actionability | The detection signals are concrete and specific (e.g., 'findById(params.id) without owner filter'), and the always-apply rules give clear anti-patterns. However, there are no executable code examples showing correct implementations or fix patterns — it tells you what's wrong but not how to fix it with concrete code. | 2 / 3 |
Workflow Clarity | The skill clearly separates always-apply rules (every code write) from context-specific checklist (security reviews/audits), provides a marking system (✅/⚠️/🔴), and establishes a clear severity framework ('P0 finding caps Security score at 40/100'). For a checklist-style skill, this is a well-sequenced workflow. | 3 / 3 |
Progressive Disclosure | The SKILL.md serves as a concise overview with summary tables, then clearly points to one-level-deep references (references/owasp-web.md and references/owasp-api.md) for full detection signals. Navigation is well-signaled and appropriately structured. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
metadata_version | 'metadata.version' is missing | Warning |
metadata_field | 'metadata' should map string keys to string values | Warning |
Total | 9 / 11 Passed | |
- Repository
- HoangNguyen0403/agent-skills-standard
- Commit
4c72e76
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.