security-patterns
Security patterns and OWASP guidelines. Triggers on: security review, OWASP, XSS, SQL injection, CSRF, authentication, authorization, secrets management, input validation, secure coding.
86
80%
Does it follow best practices?
Impact
95%
1.03xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./data/skills-md/0xdarkmatter/claude-mods/security-patterns/SKILL.mdQuality
Discovery
72%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description excels at trigger term coverage and distinctiveness, providing a comprehensive list of security-related keywords that would help Claude select this skill appropriately. However, it falls short on specificity of capabilities — it names the domain but doesn't describe concrete actions the skill performs (e.g., reviewing code, suggesting remediations, generating security checklists). The 'what' portion needs more substance.
Suggestions
Expand the opening clause to list specific actions, e.g., 'Reviews code for security vulnerabilities, applies OWASP guidelines, suggests remediations for common attack vectors, and generates security checklists.'
Add concrete output descriptions such as 'identifies vulnerabilities and provides fix recommendations' to clarify what the skill produces, not just what domain it covers.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain ('security patterns and OWASP guidelines') but does not list specific concrete actions like 'review code for vulnerabilities', 'suggest fixes', or 'generate security reports'. It stays at the level of naming the topic rather than describing what the skill actually does. | 2 / 3 |
Completeness | The 'when' is well-addressed via the 'Triggers on:' clause with explicit trigger terms. However, the 'what' is weak — 'Security patterns and OWASP guidelines' doesn't clearly explain what the skill does (e.g., reviews code, generates recommendations, applies fixes). The what portion is too vague to earn a 3. | 2 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms users would actually say: 'security review', 'OWASP', 'XSS', 'SQL injection', 'CSRF', 'authentication', 'authorization', 'secrets management', 'input validation', 'secure coding'. These are all terms a developer would naturally use when seeking security help. | 3 / 3 |
Distinctiveness Conflict Risk | The description carves out a clear niche around security with highly specific trigger terms like 'OWASP', 'XSS', 'SQL injection', 'CSRF', and 'secrets management'. These are unlikely to conflict with other skills unless there are multiple security-focused skills. | 3 / 3 |
Total | 10 / 12 Passed |
Implementation
87%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong security patterns skill that efficiently covers the OWASP Top 10, input validation, output encoding, authentication, authorization, and secrets management with concrete, executable examples. The wrong/correct code pattern pairs are particularly effective for actionability. The main weakness is the lack of a structured security review workflow with validation checkpoints, which would help when performing actual security audits.
Suggestions
Add a structured security review workflow section with explicit steps: 1) Run scans, 2) Triage findings, 3) Fix issues, 4) Re-scan to verify fixes, 5) Document remaining risks.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is lean and efficient throughout. It avoids explaining what SQL injection or XSS are conceptually, instead showing wrong vs. correct patterns directly. Every section earns its place with concrete examples rather than explanations of things Claude already knows. | 3 / 3 |
Actionability | Provides fully executable code examples across Python, JavaScript, and bash. The wrong/correct pattern pairs are copy-paste ready, the security audit grep commands are immediately usable, and the checklists provide specific, concrete guidance. | 3 / 3 |
Workflow Clarity | This is primarily a reference/patterns skill rather than a multi-step workflow, so strict sequencing is less critical. However, the 'Quick Security Audit' section lists commands without a clear sequence or validation/feedback loop (e.g., what to do when findings are discovered, how to verify fixes). For a security review skill, a review workflow with verification steps would strengthen this. | 2 / 3 |
Progressive Disclosure | The skill provides a well-structured overview with clear sections, then points to one-level-deep references (owasp-detailed.md, auth-patterns.md, crypto-patterns.md, secure-headers.md) and scripts. Navigation is clear and content is appropriately split between the overview and detailed reference files. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- NeverSight/skills_feed
- Commit
9f4534c
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.