common-security-standards
Enforce universal security protocols for safe, resilient software. Use when implementing authentication, encryption, authorization, input validation, secret management, or any security-sensitive feature across any language or framework.
60
71%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./.github/skills/common/common-security-standards/SKILL.mdQuality
Discovery
92%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly defines its security-focused domain with specific capabilities and an explicit 'Use when' clause containing natural trigger terms. The main weakness is its very broad scope ('any language or framework', 'any security-sensitive feature') which could create overlap with more specialized skills. Overall, it effectively communicates both what the skill does and when to use it.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: authentication, encryption, authorization, input validation, secret management, and security-sensitive features. These are distinct, well-defined security domains. | 3 / 3 |
Completeness | Clearly answers both 'what' (enforce universal security protocols for safe, resilient software) and 'when' (explicit 'Use when' clause listing specific trigger scenarios like implementing authentication, encryption, authorization, etc.). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'authentication', 'encryption', 'authorization', 'input validation', 'secret management', 'security'. These are terms developers naturally use when requesting security-related help. | 3 / 3 |
Distinctiveness Conflict Risk | While security is a clear domain, the phrase 'any language or framework' and the broad scope ('any security-sensitive feature') could overlap with language-specific or framework-specific skills that also handle security concerns. The breadth slightly increases conflict risk. | 2 / 3 |
Total | 11 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This security skill provides reasonable coverage of key security principles with a clear structure separating always-apply rules from context-specific guidance. However, it suffers from redundancy between sections (injection prevention, error handling mentioned multiple times), lacks executable code examples for a topic that benefits greatly from them, and references bundle files that don't exist. The workflow section would benefit from explicit feedback loops for error recovery.
Suggestions
Deduplicate overlapping content between 'Always-Apply Rules' and 'Context-Specific Rules' sections (e.g., injection prevention, error handling appear in both)
Add at least one executable code example inline for the most critical pattern (e.g., parameterized query in Python/JS, or environment variable secret loading)
Add an explicit feedback loop to the workflow: 'If SAST/DAST finds issues → fix → re-scan → only merge when clean'
Either provide the referenced bundle files (references/implementation.md, INJECTION_TESTING.md, VULNERABILITY_REMEDIATION.md) or remove the references to avoid broken links
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is mostly efficient but contains some redundancy — for example, 'No raw SQL strings' and 'Injection Prevention' both cover parameterized queries, and 'No stacktraces in prod' and 'Error Privacy' overlap. Some bullet points explain concepts Claude already knows (e.g., what Zero Trust means, what Least Privilege means). Could be tightened by deduplicating. | 2 / 3 |
Actionability | Provides specific guidance like 'AES-256 for data-at-rest; TLS 1.3 for data-in-transit' and mentions concrete tools ('npm audit', 'pip audit'), but lacks executable code examples. The reference to 'implementation examples' for parameterized queries and secret management would help, but the bundle files don't exist, so the actionable content is incomplete. No copy-paste ready code is provided inline. | 2 / 3 |
Workflow Clarity | The 4-step workflow is clearly sequenced and includes a verification step (SAST/DAST in CI), but lacks explicit feedback loops — there's no 'if validation fails, do X' recovery step. For security-sensitive operations (which can be destructive), the absence of error recovery guidance caps this at 2. | 2 / 3 |
Progressive Disclosure | The skill references three external files (references/implementation.md, references/INJECTION_TESTING.md, references/VULNERABILITY_REMEDIATION.md) which is good structure, but none of these bundle files actually exist. The inline content also has some sections that could be consolidated or better organized — the 'Always-Apply Rules' and 'Context-Specific Rules' sections overlap significantly. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
metadata_version | 'metadata.version' is missing | Warning |
metadata_field | 'metadata' should map string keys to string values | Warning |
Total | 9 / 11 Passed | |
- Repository
- HoangNguyen0403/agent-skills-standard
- Commit
556618c
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.