security-patterns
Security patterns and OWASP guidelines. Triggers on: security review, OWASP, XSS, SQL injection, CSRF, authentication, authorization, secrets management, input validation, secure coding.
83
76%
Does it follow best practices?
Impact
95%
1.03xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./data/skills-md/0xdarkmatter/claude-mods/security-patterns/SKILL.mdQuality
Discovery
72%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description excels at trigger term coverage and distinctiveness, providing a comprehensive list of security-related keywords that would reliably match user queries. However, it falls short on specificity of capabilities — it names the domain but doesn't describe what concrete actions the skill performs (e.g., reviewing code, suggesting fixes, generating secure implementations). The 'what' portion needs more detail about actual actions.
Suggestions
Replace the vague 'Security patterns and OWASP guidelines' with specific actions like 'Reviews code for security vulnerabilities, suggests fixes for common exploits, and applies OWASP guidelines to harden applications'.
Add concrete capability verbs such as 'identifies', 'remediates', 'audits', or 'generates secure implementations' to clarify what the skill actually does beyond just being about security.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain ('security patterns and OWASP guidelines') but does not list specific concrete actions like 'review code for vulnerabilities', 'suggest fixes for XSS flaws', or 'audit authentication flows'. It tells you the topic area but not what it actually does. | 2 / 3 |
Completeness | The 'when' is well-addressed via the 'Triggers on:' clause with explicit trigger terms. However, the 'what' is weak — 'Security patterns and OWASP guidelines' is vague about what concrete actions the skill performs (review? generate? fix?). The trigger guidance is present but the capability description is insufficient for full completeness. | 2 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms users would say: 'security review', 'OWASP', 'XSS', 'SQL injection', 'CSRF', 'authentication', 'authorization', 'secrets management', 'input validation', 'secure coding'. These are all terms a user would naturally use when seeking security help. | 3 / 3 |
Distinctiveness Conflict Risk | The security domain with specific terms like OWASP, XSS, SQL injection, CSRF, and secrets management creates a clear niche that is unlikely to conflict with other skills. These are highly distinctive trigger terms. | 3 / 3 |
Total | 10 / 12 Passed |
Implementation
79%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong security reference skill with excellent actionability through concrete wrong/correct code pairs and copy-paste ready audit commands. The OWASP table and checklists are efficient and well-structured. The main weaknesses are the lack of an explicit security review workflow with validation steps, and referenced bundle files that don't actually exist.
Suggestions
Add a brief security review workflow at the top (e.g., 1. Run audit scripts → 2. Triage findings by severity → 3. Fix critical issues → 4. Re-scan to verify → 5. Document remaining risks) to improve workflow clarity.
Provide the referenced bundle files (owasp-detailed.md, auth-patterns.md, scripts/security-scan.sh, etc.) or remove the references to avoid broken navigation.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is lean and efficient throughout. It avoids explaining what SQL injection or XSS are conceptually and instead jumps straight to wrong/correct code patterns. The OWASP table is a compact reference. Every section earns its place with actionable content rather than explanatory prose. | 3 / 3 |
Actionability | Provides fully executable code examples in Python, JavaScript, and bash across multiple security domains. The wrong/correct pattern pairs are immediately usable, the security audit grep commands are copy-paste ready, and the checklists provide specific, concrete guidance. | 3 / 3 |
Workflow Clarity | The skill is primarily a reference/pattern guide rather than a multi-step workflow, so strict sequencing is less critical. However, the Quick Security Audit section could benefit from a clear workflow (run scans → triage findings → fix → re-scan). There are no explicit validation checkpoints or feedback loops for the security review process itself. | 2 / 3 |
Progressive Disclosure | The skill references external files (references/owasp-detailed.md, scripts/security-scan.sh, etc.) which is good structure, but no bundle files are provided to back these references. The main content is well-organized with clear sections, but the inline content is fairly long and some sections (like the full security headers block) could arguably be in reference files. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- NeverSight/skills_feed
- Commit
3ae408c
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.