common-security-audit

Probe for hardcoded secrets, injection surfaces, unguarded routes, business logic flaws, and platform-specific weaknesses across backend (Node, Go, Java, Python, Rust), frontend (React, Angular, Vue), and mobile (iOS, Android, Flutter) codebases. Use when performing security audits, vulnerability scans, secrets detection, or penetration testing.

Quality

82%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Passed

No known issues

Quality

Content

64%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a well-structured security audit skill that covers a broad attack surface efficiently. Its main strengths are the concise scoring impact table, specific grep patterns, and clear severity classifications. Its weaknesses are heavy reliance on unverifiable reference files for core actionable content and the lack of explicit validation/feedback loops for a process that involves destructive remediation steps (credential rotation, history purging).

Suggestions

Add a brief validation/feedback loop workflow, e.g., 'After each P0 finding: 1. Document finding, 2. Apply fix, 3. Re-run scan to verify remediation, 4. Proceed to next section.'

Inline at least one concrete example command for sections 1-3 and 5 so the SKILL.md is minimally actionable without the reference files (e.g., a key grep pattern for secrets scanning).

Ensure bundle files (references/implementation.md, references/mobile-audit.md, references/REMEDIATION.md) are actually provided so the progressive disclosure structure is functional.

Dimension	Reasoning	Score
Conciseness	The content is lean and efficient. It avoids explaining what secrets, injection, or CVEs are—concepts Claude already knows. Each section is tightly scoped with specific commands or clear pointers to reference files. The scoring table is a compact, high-value addition.	3 / 3
Actionability	Sections 4, 6, and 8 provide concrete commands and specific patterns to grep for, which is good. However, sections 1, 2, 3, 5, and 7 delegate entirely to reference files (which are not provided in the bundle), making the SKILL.md itself incomplete for execution. The mix of concrete and delegated guidance lands this at a 2.	2 / 3
Workflow Clarity	The numbered sections imply a sequence (scan secrets first, then logs, then injection, etc.), and the scoring table provides clear thresholds. However, there are no explicit validation checkpoints, no feedback loops for when findings are discovered (beyond the brief 'rotate NOW' note), and no clear workflow for iterating through findings and verifying fixes.	2 / 3
Progressive Disclosure	The skill references multiple external files (references/implementation.md, references/mobile-audit.md, references/REMEDIATION.md) with clear signaling, which is good structure. However, no bundle files were provided, so we cannot verify these references exist or are well-structured. Additionally, some sections inline content while others delegate entirely, creating an inconsistent pattern.	2 / 3
	Total	9 / 12 Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is an excellent skill description that clearly articulates specific security-focused capabilities across a wide range of technology stacks. It includes an explicit 'Use when' clause with natural trigger terms, lists concrete actions rather than vague claims, and occupies a distinct niche that minimizes conflict with other skills.

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions: probing for hardcoded secrets, injection surfaces, unguarded routes, business logic flaws, and platform-specific weaknesses. Also enumerates specific technology stacks across backend, frontend, and mobile.	3 / 3
Completeness	Clearly answers both 'what' (probe for hardcoded secrets, injection surfaces, unguarded routes, business logic flaws, platform-specific weaknesses across multiple tech stacks) and 'when' (explicit 'Use when performing security audits, vulnerability scans, secrets detection, or penetration testing').	3 / 3
Trigger Term Quality	Includes strong natural trigger terms users would say: 'security audits', 'vulnerability scans', 'secrets detection', 'penetration testing', plus technology-specific terms like 'Node', 'Go', 'React', 'iOS', 'Android', 'Flutter'. Covers a wide range of natural user queries.	3 / 3
Distinctiveness Conflict Risk	The security audit / vulnerability scanning niche is clearly distinct from general coding skills. The combination of specific vulnerability types and the explicit security-focused trigger terms makes it unlikely to conflict with general code review or development skills.	3 / 3
	Total	12 / 12 Passed

Validation

81%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 9 / 11 Passed

Validation for skill structure

Criteria	Description	Result
metadata_version	'metadata.version' is missing	Warning
metadata_field	'metadata' should map string keys to string values	Warning

	Total	9 / 11 Passed

Repository: HoangNguyen0403/agent-skills-standard
Commit: de793e9

Reviewed: 8 days ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.