common-security-audit
Probe for hardcoded secrets, injection surfaces, unguarded routes, and infrastructure weaknesses across Node, Go, Dart, Java, Python, and Rust codebases. Use when performing security audits, vulnerability scans, secrets detection, or penetration testing. (triggers: package.json, go.mod, pubspec.yaml, pom.xml, Dockerfile, security audit, vulnerability scan, secrets detection, injection probe, pentest)
81
76%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./.agent/skills/common/common-security-audit/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, well-crafted skill description that clearly communicates its security audit purpose, lists concrete actions, specifies supported languages, and provides explicit trigger guidance with both file-based and task-based keywords. It follows best practices by using third person voice and including a 'Use when' clause with comprehensive trigger terms.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'probe for hardcoded secrets, injection surfaces, unguarded routes, and infrastructure weaknesses' across named languages (Node, Go, Dart, Java, Python, Rust). | 3 / 3 |
Completeness | Clearly answers both 'what' (probe for hardcoded secrets, injection surfaces, unguarded routes, infrastructure weaknesses across multiple language codebases) and 'when' (explicit 'Use when' clause with security audits, vulnerability scans, secrets detection, penetration testing). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms including file-based triggers (package.json, go.mod, pubspec.yaml, pom.xml, Dockerfile) and task-based triggers (security audit, vulnerability scan, secrets detection, injection probe, pentest). These are terms users would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Occupies a clear security-focused niche with distinct triggers like 'pentest', 'injection probe', 'secrets detection', and specific manifest files. Unlikely to conflict with general code review or linting skills due to the explicit security framing. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
52%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides a solid catalog of security audit checks with concrete grep commands and CLI tools across multiple languages, maintaining good conciseness. However, it reads more like a checklist of detection patterns than a guided workflow—there's no sequencing logic, no validation/triage steps after findings, and several critical sections are entirely delegated to external files without inline summaries. The actionability suffers from the heavy reliance on references for key sections.
Suggestions
Add a brief workflow overview at the top that sequences the audit steps (e.g., 'Run secrets scan first, then triage P0 findings before proceeding') with explicit validation checkpoints between phases.
Include at least one inline example command or pattern for sections 1, 3, and 6 instead of delegating entirely to references/implementation.md—reserve the reference for comprehensive coverage.
Add a verification/triage step after scanning (e.g., 'Review each finding to confirm it's not a false positive before scoring') to create a feedback loop for the audit process.
Show how to compute and evaluate the auth coverage ratio in section 4 (e.g., 'echo "Coverage: $((guarded * 100 / total))%"') so the threshold check is actionable.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is lean and efficient. It avoids explaining what security audits are or how grep works. Every section delivers actionable commands without unnecessary preamble. The scoring table and anti-patterns are concise and add value. | 3 / 3 |
Actionability | Several sections provide concrete, executable grep commands and CLI tools, which is good. However, three key sections (1, 3, 6) delegate entirely to references/implementation.md without providing any inline commands or examples, leaving gaps in immediate actionability. The auth coverage commands use bash variable assignment but don't show how to compute or report the ratio. | 2 / 3 |
Workflow Clarity | The sections are numbered but there's no clear sequential workflow with dependencies between steps. There are no validation checkpoints, no feedback loops for when findings are detected, and no guidance on what to do after scanning (e.g., verify findings, triage, remediate). For a security audit involving potentially destructive or high-stakes operations, the lack of verification steps is a significant gap. | 1 / 3 |
Progressive Disclosure | The skill does reference external files (references/implementation.md, references/REMEDIATION.md) for detailed content, which is good progressive disclosure. However, three of seven sections punt entirely to implementation.md without any inline summary or example, making the main file feel incomplete. The references are one-level deep and clearly signaled, but the balance between inline and referenced content is off. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- HoangNguyen0403/agent-skills-standard
- Commit
19a1140
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.