common-security-audit
Probe for hardcoded secrets, injection surfaces, unguarded routes, and infrastructure weaknesses across Node, Go, Dart, Java, Python, and Rust codebases. Use when performing security audits, vulnerability scans, secrets detection, or penetration testing.
82
80%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./.github/skills/common/common-security-audit/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly articulates specific security-focused capabilities, names the supported languages, and provides explicit trigger guidance with natural terms users would use. It covers both the 'what' and 'when' comprehensively, and its security audit niche makes it highly distinctive among potential skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'hardcoded secrets, injection surfaces, unguarded routes, and infrastructure weaknesses' across named languages (Node, Go, Dart, Java, Python, Rust). These are concrete, actionable security concerns. | 3 / 3 |
Completeness | Clearly answers both 'what' (probe for hardcoded secrets, injection surfaces, unguarded routes, infrastructure weaknesses across multiple languages) and 'when' (explicit 'Use when performing security audits, vulnerability scans, secrets detection, or penetration testing'). | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms users would say: 'security audits', 'vulnerability scans', 'secrets detection', 'penetration testing', plus specific terms like 'hardcoded secrets', 'injection surfaces', 'unguarded routes'. Also lists specific language names which users would mention. | 3 / 3 |
Distinctiveness Conflict Risk | Occupies a clear niche in security auditing and vulnerability detection. The specific focus on secrets, injection surfaces, unguarded routes, and infrastructure weaknesses across named languages makes it highly distinct and unlikely to conflict with general code review or other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
60%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill is well-structured and concise, covering a broad range of security audit checks across multiple languages with concrete grep commands and CLI tools. Its main weaknesses are the lack of a coherent workflow with validation/remediation checkpoints (critical for security audits) and the delegation of three major sections entirely to reference files without any inline guidance. The scoring impact table is a useful addition but doesn't compensate for the missing process flow.
Suggestions
Add a sequential workflow overview at the top (e.g., 'Run scans → Triage findings by severity → Remediate P0s first → Re-scan to verify fixes') with explicit validation checkpoints between stages.
Include at least a brief inline example or one-liner for sections 1, 3, and 6 instead of delegating entirely to references, so the skill remains useful without needing to load additional files.
Add a 'When findings are detected' feedback loop: what to do after a P0 is found, how to verify the fix, and when to re-run the audit to confirm remediation.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is lean and efficient. It avoids explaining what security audits are or how grep works, and jumps straight into actionable commands. Every section delivers concrete value without padding. | 3 / 3 |
Actionability | Many sections provide concrete, executable grep commands and CLI tools, which is good. However, three of the seven main sections (1, 3, 6) delegate entirely to a references file with no inline examples, leaving gaps in immediate actionability. The auth coverage commands use regex grouping syntax that may not work in all shells without escaping. | 2 / 3 |
Workflow Clarity | There is no clear sequential workflow or validation checkpoints. The sections are numbered but function as independent checks rather than a guided process. For a security audit involving potentially destructive or high-stakes findings (P0 severity), there are no feedback loops, no 'what to do when you find something' steps, and no verification that remediation was applied correctly. | 1 / 3 |
Progressive Disclosure | The skill provides a clear overview with inline commands for quick reference while delegating detailed implementation examples and remediation protocols to one-level-deep reference files (references/implementation.md, references/REMEDIATION.md). Navigation is well-signaled. | 3 / 3 |
Total | 9 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
metadata_version | 'metadata.version' is missing | Warning |
metadata_field | 'metadata' should map string keys to string values | Warning |
Total | 9 / 11 Passed | |
- Repository
- HoangNguyen0403/agent-skills-standard
- Commit
4c72e76
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.