common-security-standards
Enforce universal security protocols for safe, resilient software. Use when implementing authentication, encryption, authorization, input validation, secret management, or any security-sensitive feature across any language or framework. (triggers: **/*.ts, **/*.tsx, **/*.go, **/*.dart, **/*.java, **/*.kt, **/*.swift, **/*.py, security, encrypt, authenticate, authorize)
76
69%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./.agent/skills/common/common-security-standards/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a solid description that clearly communicates both what the skill does and when to use it, with good trigger term coverage. Its main weaknesses are the somewhat abstract capability description (listing security categories rather than concrete actions) and the very broad scope that could cause conflicts with more specific skills. The file glob triggers covering many common languages increase the risk of false activation.
Suggestions
Replace abstract categories with more concrete actions, e.g., 'Implements password hashing, JWT authentication, role-based access control, input sanitization, and secrets vault integration' instead of listing general areas.
Narrow the file glob triggers to avoid activating on every source file; consider removing them or limiting to security-specific file patterns to reduce conflict risk with other language-specific skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | It names the domain (security) and lists several actions/areas like authentication, encryption, authorization, input validation, and secret management, but these are more categories than concrete actions. It doesn't describe specific operations like 'hash passwords', 'generate JWT tokens', or 'sanitize SQL inputs'. | 2 / 3 |
Completeness | Clearly answers both 'what' (enforce universal security protocols for safe, resilient software) and 'when' (explicit 'Use when' clause listing authentication, encryption, authorization, input validation, secret management, or any security-sensitive feature). Also includes explicit file-pattern triggers. | 3 / 3 |
Trigger Term Quality | Includes a strong set of natural trigger terms: 'security', 'encrypt', 'authenticate', 'authorize', plus file extensions for relevant languages. The 'Use when' clause also contains natural phrases like 'input validation', 'secret management', and 'security-sensitive feature' that users would naturally mention. | 3 / 3 |
Distinctiveness Conflict Risk | While security is a reasonably distinct domain, the phrase 'universal security protocols' and 'across any language or framework' is very broad. It could overlap with language-specific security skills or framework-specific best practices skills. The broad file glob patterns (matching all .ts, .py, .go files etc.) increase conflict risk significantly. | 2 / 3 |
Total | 10 / 12 Passed |
Implementation
57%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a reasonably well-structured security skill with good progressive disclosure and clear organization. Its main weaknesses are redundancy across sections (several rules stated twice) and a lack of executable code examples — for a skill triggered on code files across multiple languages, concrete code snippets would significantly improve actionability. The workflow would benefit from an explicit feedback loop for scanner findings.
Suggestions
Add at least 2-3 executable code examples inline (e.g., parameterized query in Python/TypeScript, environment variable secret loading) to improve actionability from description-level to copy-paste-ready.
Deduplicate repeated rules: consolidate 'No raw SQL' / 'Injection Prevention', 'No stacktraces' / 'Error Privacy', and 'Least Privilege' mentions into single authoritative locations.
Add an explicit feedback loop to the workflow: 'If SAST/DAST finds issues → fix → re-scan → only merge when clean' to meet the validation checkpoint standard for security-sensitive operations.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Mostly efficient but has some redundancy — 'No raw SQL strings' appears in Always-Apply Rules and again under 'Injection Prevention' in Secure Coding; 'No stacktraces in prod' is repeated as 'Error Privacy'; 'Least Privilege' appears in both the Workflow and Data Safeguarding sections. Some bullet points explain concepts Claude already knows (e.g., what Zero Trust means). | 2 / 3 |
Actionability | Provides specific standards (AES-256, TLS 1.3, parameterized queries, npm audit) which are concrete, but lacks executable code examples — no actual code snippets for parameterized queries, secret management, or input validation. The reference to 'implementation examples' helps but the skill body itself relies on descriptions rather than copy-paste-ready guidance. | 2 / 3 |
Workflow Clarity | The 4-step workflow is clearly sequenced and includes a verification step (SAST/DAST in CI), but lacks explicit feedback loops — there's no 'if scanner finds issues, fix and re-scan' step. For security-sensitive operations that can be destructive, this missing feedback loop caps the score at 2 per the rubric. | 2 / 3 |
Progressive Disclosure | Content is well-structured with a clear hierarchy: Always-Apply Rules → Workflow → Context-Specific Rules → Anti-Patterns → References. External references are one level deep and clearly signaled with descriptive links to implementation examples, injection testing, and vulnerability remediation files. | 3 / 3 |
Total | 9 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- HoangNguyen0403/agent-skills-standard
- Commit
19a1140
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.