security-reviewer

Identifies security vulnerabilities, generates structured audit reports with severity ratings, and provides actionable remediation guidance. Use when conducting security audits, reviewing code for vulnerabilities, or analyzing infrastructure security. Invoke for SAST scans, penetration testing, DevSecOps practices, cloud security reviews, dependency audits, secrets scanning, or compliance checks. Produces vulnerability reports, prioritized recommendations, and compliance checklists.

Quality

88%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Passed

No known issues

Quality

Content

77%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a solid security review skill with strong actionability through concrete tool commands and an excellent example finding entry. The workflow is well-sequenced with appropriate authorization gates and validation checkpoints. The main weaknesses are minor verbosity in constraint lists and the inability to verify that the six referenced files actually exist in the bundle, which limits the progressive disclosure score.

Suggestions

Trim the 'When to Use This Skill' section since it largely duplicates information already conveyed by the workflow steps and skill description.

Move the flat 'Knowledge Reference' list into a reference file or remove it entirely — Claude already knows these tools and standards, and the list adds no actionable guidance.

Dimension	Reasoning	Score
Conciseness	Generally efficient but has some unnecessary padding. The 'When to Use This Skill' section largely repeats the workflow steps. The MUST DO/MUST NOT DO lists contain some items Claude would already know (e.g., 'don't share detailed exploits publicly'). The Knowledge Reference section is a flat list of tool names that adds little actionable value.	2 / 3
Actionability	Provides concrete, executable tool commands (semgrep, bandit, gitleaks, npm audit, trivy), a detailed example finding entry with specific code showing both the vulnerable and remediated pattern, and clear severity rating guidance using CVSS. The example finding is copy-paste ready and demonstrates the expected output format precisely.	3 / 3
Workflow Clarity	The 5-step core workflow is clearly sequenced with explicit validation checkpoints: authorization verification before testing (steps 1 and 4), mandatory manual review after automated scanning (step 3), stakeholder confirmation before finalizing reports (step 5), and immediate reporting of critical findings. The workflow includes a feedback loop of verify-then-proceed and appropriately gates destructive/active testing behind authorization checks.	3 / 3
Progressive Disclosure	The reference table with 'Load When' guidance is well-structured and clearly signals when to load each reference file. However, no bundle files were provided, so the six referenced files (references/sast-tools.md, etc.) cannot be verified to exist. The main SKILL.md itself is moderately long but not excessively so; some content like the Knowledge Reference list could be moved to a reference file.	2 / 3
	Total	10 / 12 Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a strong skill description that clearly articulates specific capabilities (vulnerability identification, audit report generation, remediation guidance), provides comprehensive trigger terms spanning multiple security domains, and explicitly separates 'what' from 'when' with clear invocation guidance. The description is well-structured, uses third person voice throughout, and occupies a distinct niche that minimizes conflict risk with other skills.

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions: identifies security vulnerabilities, generates structured audit reports with severity ratings, provides actionable remediation guidance, produces vulnerability reports, prioritized recommendations, and compliance checklists.	3 / 3
Completeness	Clearly answers both 'what' (identifies vulnerabilities, generates audit reports, provides remediation guidance) and 'when' with explicit triggers ('Use when conducting security audits, reviewing code for vulnerabilities... Invoke for SAST scans, penetration testing...').	3 / 3
Trigger Term Quality	Excellent coverage of natural trigger terms users would say: security audits, vulnerabilities, SAST scans, penetration testing, DevSecOps, cloud security reviews, dependency audits, secrets scanning, compliance checks, code review for vulnerabilities.	3 / 3
Distinctiveness Conflict Risk	Clearly occupies a distinct security auditing niche with specific triggers like SAST scans, penetration testing, secrets scanning, and compliance checks that are unlikely to conflict with general code review or documentation skills.	3 / 3
	Total	12 / 12 Passed

Validation

90%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 10 / 11 Passed

Validation for skill structure

Criteria	Description	Result
allowed_tools_field	'allowed-tools' contains unusual tool name(s)	Warning

	Total	10 / 11 Passed

Repository: Jeffallan/claude-skills
Commit: e8be415

Reviewed: 4 days ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.