security-patterns
Security patterns and OWASP guidelines. Triggers on: security review, OWASP, XSS, SQL injection, CSRF, authentication, authorization, secrets management, input validation, secure coding.
91
88%
Does it follow best practices?
Impact
95%
1.03xAverage score across 3 eval scenarios
Passed
No known issues
Quality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description has strong trigger term coverage and clear 'when to use' guidance via the explicit 'Triggers on:' clause. Its main weakness is the vague 'what' portion—'Security patterns and OWASP guidelines' doesn't specify concrete actions the skill performs (e.g., reviewing code, recommending fixes, identifying vulnerabilities). Adding specific action verbs would elevate the description significantly.
Suggestions
Replace 'Security patterns and OWASP guidelines' with concrete actions like 'Reviews code for security vulnerabilities, recommends OWASP-compliant fixes, identifies injection flaws and authentication weaknesses'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (security) and references specific areas like OWASP guidelines, but doesn't list concrete actions—it says 'security patterns' rather than specific actions like 'review code for vulnerabilities, identify injection flaws, recommend authentication fixes'. | 2 / 3 |
Completeness | Answers both 'what' (security patterns and OWASP guidelines) and 'when' (explicit 'Triggers on:' clause with a comprehensive list of trigger terms), satisfying the requirement for explicit trigger guidance. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms users would actually say: 'security review', 'OWASP', 'XSS', 'SQL injection', 'CSRF', 'authentication', 'authorization', 'secrets management', 'input validation', 'secure coding' are all terms developers naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | The combination of security-specific terms like OWASP, XSS, SQL injection, CSRF, and secrets management creates a clear niche that is unlikely to conflict with other skills. These are highly domain-specific triggers. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
87%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong security patterns skill that excels at conciseness and actionability through its consistent WRONG/CORRECT code pattern approach. The progressive disclosure is well-handled with clear references to deeper materials. The main weakness is the lack of a cohesive workflow for conducting a security review, with the audit section being a flat list of commands rather than a guided process with feedback loops.
Suggestions
Add a brief workflow sequence to the 'Quick Security Audit' section that guides through running the scans, triaging findings, and verifying fixes (e.g., 'Run scans → Review findings → Fix → Re-scan to verify').
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is lean and efficient throughout. It avoids explaining what SQL injection or XSS are conceptually, instead showing WRONG/CORRECT code pairs that Claude can directly apply. Every section earns its place with actionable patterns rather than explanatory prose. | 3 / 3 |
Actionability | Provides fully executable code examples across Python, JavaScript, and bash. The WRONG/CORRECT pattern pairs are copy-paste ready, the security audit grep commands are immediately usable, and the checklists provide specific, concrete guidance. | 3 / 3 |
Workflow Clarity | The skill is primarily a reference/pattern catalog rather than a multi-step workflow, so strict sequencing is less critical. However, the 'Quick Security Audit' section lists commands without a clear sequence or validation/feedback loop (e.g., what to do when findings are discovered), and there's no overall workflow for conducting a security review. | 2 / 3 |
Progressive Disclosure | The SKILL.md serves as a well-organized overview with clear sections, and appropriately points to one-level-deep references (owasp-detailed.md, auth-patterns.md, crypto-patterns.md, secure-headers.md) and scripts for deeper content. Navigation is clear and well-signaled. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- NeverSight/skills_feed
- Commit
f772de4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.