common-security-standards
Enforce universal security protocols for safe, resilient software. Use when implementing authentication, encryption, authorization, input validation, secret management, or any security-sensitive feature across any language or framework.
78
74%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./.github/skills/common/common-security-standards/SKILL.mdQuality
Discovery
92%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly communicates its purpose and provides explicit trigger guidance. It lists concrete security domains as both capabilities and trigger terms, making it easy for Claude to match user requests. The only weakness is its very broad scope ('any language or framework', 'any security-sensitive feature') which could create overlap with more specialized skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: authentication, encryption, authorization, input validation, secret management, and security-sensitive features. These are distinct, well-defined security domains. | 3 / 3 |
Completeness | Clearly answers both 'what' (enforce universal security protocols for safe, resilient software) and 'when' (explicit 'Use when' clause listing authentication, encryption, authorization, input validation, secret management, or any security-sensitive feature). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'authentication', 'encryption', 'authorization', 'input validation', 'secret management', 'security'. These are terms developers naturally use when requesting security-related help. | 3 / 3 |
Distinctiveness Conflict Risk | While security is a clear domain, the phrase 'across any language or framework' and the broad scope ('any security-sensitive feature') could cause overlap with language-specific or framework-specific skills that also handle security concerns. The breadth slightly increases conflict risk. | 2 / 3 |
Total | 11 / 12 Passed |
Implementation
57%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
A well-organized security skill with good progressive disclosure and clear structure, but weakened by redundancy across sections (least privilege, injection prevention, and error handling each appear twice) and a lack of concrete, executable code examples. The workflow is reasonable but would benefit from explicit feedback loops for security scanning failures.
Suggestions
Remove duplicate guidance: consolidate injection prevention, error privacy, and least privilege into single authoritative locations rather than repeating across Always-Apply Rules and Context-Specific Rules.
Add at least one executable code example showing the correct pattern (e.g., a parameterized query in Python/JS) alongside the incorrect `WHERE id = ${userId}` anti-pattern.
Add an explicit feedback loop to the workflow step 4: 'If scanner finds issues → fix → re-scan → only merge when clean.'
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Mostly efficient but has some redundancy — 'No raw SQL strings' appears in Always-Apply Rules and again under 'Injection Prevention' in Secure Coding; 'No stacktraces in prod' is repeated as 'Error Privacy'; 'Least Privilege' appears in both the Workflow and Data Safeguarding sections. Some bullet points explain concepts Claude already knows (e.g., what Zero Trust means). | 2 / 3 |
Actionability | Provides specific standards (AES-256, TLS 1.3, parameterized queries) and tool names (npm audit, pip audit), but lacks executable code examples — the SQL injection example `WHERE id = ${userId}` only shows the wrong pattern without a concrete correct alternative. References to implementation examples exist but the skill itself contains no copy-paste ready code. | 2 / 3 |
Workflow Clarity | The 4-step workflow is clearly sequenced and includes a verification step (SAST/DAST in CI), but lacks explicit feedback loops — there's no 'if scanner finds issues, fix and re-scan' step. For security-sensitive operations (which can be destructive), the absence of an explicit error recovery loop caps this at 2. | 2 / 3 |
Progressive Disclosure | Content is well-structured with a clear hierarchy: Always-Apply Rules → Workflow → Context-Specific Rules → Anti-Patterns → References. External references are one level deep and clearly signaled with descriptive links to implementation examples, injection testing, and vulnerability remediation files. | 3 / 3 |
Total | 9 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
metadata_version | 'metadata.version' is missing | Warning |
metadata_field | 'metadata' should map string keys to string values | Warning |
Total | 9 / 11 Passed | |
- Repository
- HoangNguyen0403/agent-skills-standard
- Commit
4c72e76
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.