CtrlK
BlogDocsLog inGet started
Tessl Logo

common-security-audit

Probe for hardcoded secrets, injection surfaces, unguarded routes, business logic flaws, and platform-specific weaknesses across backend (Node, Go, Java, Python, Rust), frontend (React, Angular, Vue), and mobile (iOS, Android, Flutter) codebases. Use when performing security audits, vulnerability scans, secrets detection, or penetration testing.

69

Quality

86%

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

72%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

A concise, well-structured audit overview that makes good use of progressive disclosure and real reference files. Its weaker spots are uneven inline actionability (several sections rely entirely on references) and missing validation feedback loops for destructive remediation steps.

Suggestions

Add at least one inline executable command per core section (secrets scan, log leakage, injection/auth) instead of routing everything to references/implementation.md, so the skill stands alone for the highest-priority checks.

Add explicit validate-fix-retry checkpoints for destructive/batch remediation (e.g., rotate secret -> purge from history -> re-scan to confirm no matches remain).

Make the audit workflow order explicit (e.g., 1. secrets -> 2. logs -> 3. injection -> 4. dependencies -> 5. infra -> 6. frontend -> 7. mobile -> 8. business logic) so the numbered P0/P1 sections read as a sequence rather than a checklist.

DimensionReasoningScore

Conciseness

The body is lean: priorities, terse command snippets, and a scoring table, with no padding that explains concepts Claude already knows; nearly every token earns its place.

3 / 3

Actionability

Sections 4, 6, and 8 give concrete executable commands, but sections 1, 2, 3, 5, and 7 only point to "See references/implementation.md" without any inline command, leaving several core actions incomplete inline.

2 / 3

Workflow Clarity

A priority structure (P0/P1/P2) and a scoring-impact table provide sequencing, but destructive/batch operations such as secret rotation and CVE remediation lack explicit validate-fix-retry checkpoints, capping clarity at 2.

2 / 3

Progressive Disclosure

The body is an overview pointing to one-level-deep, well-signaled references (implementation.md, mobile-audit.md, REMEDIATION.md), all of which exist in the bundle, with content appropriately split for navigation.

3 / 3

Total

10

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A strong, third-person description that specifies concrete audit actions across backend/frontend/mobile and pairs them with explicit use-when triggers. It is distinct, complete, and free of vague fluff or over-claims.

DimensionReasoningScore

Specificity

Lists multiple concrete actions ("Probe for hardcoded secrets, injection surfaces, unguarded routes, business logic flaws") and enumerates specific platforms across backend, frontend, and mobile, matching the "multiple specific concrete actions" anchor.

3 / 3

Completeness

Clearly answers both what ("Probe for hardcoded secrets..." across named codebases) and when ("Use when performing security audits, vulnerability scans, secrets detection, or penetration testing"), with an explicit trigger clause.

3 / 3

Trigger Term Quality

Natural user-facing terms appear via "Use when performing security audits, vulnerability scans, secrets detection, or penetration testing," backed by metadata keywords (pentest, Dockerfile, injection probe); good coverage of terms users would say.

3 / 3

Distinctiveness Conflict Risk

Scoped to a clear niche (multi-platform security auditing) with platform-specific triggers, making it unlikely to fire for unrelated skills.

3 / 3

Total

12

/

12

Passed

Validation

87%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation14 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

metadata_version

'metadata.version' is missing

Warning

metadata_field

'metadata' should map string keys to string values

Warning

Total

14

/

16

Passed

Repository
HoangNguyen0403/agent-skills-standard
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.