security-patterns

Security patterns and OWASP guidelines. Triggers on: security review, OWASP, XSS, SQL injection, CSRF, authentication, authorization, secrets management, input validation, secure coding.

1.03x

Quality

76%

Does it follow best practices?

Impact

95%

1.03x

Average score across 3 eval scenarios

Securityby

Passed

No known issues

Optimize this skill with Tessl

npx tessl skill review --optimize ./data/skills-md/0xdarkmatter/claude-mods/security-patterns/SKILL.md

Quality

Content

79%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a strong security reference skill with excellent conciseness and actionability — the WRONG/CORRECT code pattern pairs are particularly effective and the content avoids unnecessary explanation. The main weaknesses are the lack of an explicit security review workflow with validation checkpoints, and the referenced bundle files that don't actually exist, which undermines the progressive disclosure structure.

Suggestions

Add an explicit 'Security Review Workflow' section with ordered steps and validation checkpoints (e.g., 1. Run security scan scripts, 2. Review findings, 3. Fix critical issues first, 4. Re-scan to verify fixes)

Either provide the referenced bundle files (owasp-detailed.md, auth-patterns.md, etc.) or remove the references to avoid pointing to non-existent resources

Dimension	Reasoning	Score
Conciseness	The content is lean and efficient throughout. It avoids explaining what SQL injection or XSS are conceptually, instead jumping straight to WRONG/CORRECT code patterns. Every section earns its place with concrete examples rather than explanations of concepts Claude already knows.	3 / 3
Actionability	Provides fully executable code examples in Python, JavaScript, and bash across all major security domains. The WRONG/CORRECT pattern pairs are copy-paste ready, the security audit grep commands are immediately usable, and the checklists provide specific, concrete guidance.	3 / 3
Workflow Clarity	The Quick Security Audit section provides a clear sequence of grep commands, and checklists are well-structured. However, there's no explicit workflow for conducting a security review (e.g., order of operations, validation checkpoints, what to do when issues are found). For a skill that triggers on 'security review,' a review workflow with feedback loops would strengthen this.	2 / 3
Progressive Disclosure	The skill references external files (references/owasp-detailed.md, references/auth-patterns.md, etc.) which is good structure, but no bundle files are provided to back these references. The main content is well-organized with clear sections, but the references section feels like a promise without delivery since the files don't exist.	2 / 3
	Total	10 / 12 Passed

Description

72%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description excels at trigger term coverage and distinctiveness, providing a comprehensive list of security-related keywords that would reliably match user queries. However, it falls short on specificity of capabilities — it names the domain but doesn't describe what concrete actions the skill performs (e.g., reviewing code, suggesting fixes, generating secure patterns). The 'what' portion needs more actionable detail.

Suggestions

Replace the vague 'Security patterns and OWASP guidelines' with specific actions like 'Reviews code for security vulnerabilities, suggests fixes for common exploits, and applies OWASP guidelines to harden applications.'

Add concrete capability verbs such as 'identifies', 'remediates', 'audits', or 'generates secure alternatives' to clarify what the skill actually does beyond just being about security.

Dimension	Reasoning	Score
Specificity	The description names the domain ('security patterns and OWASP guidelines') but does not list specific concrete actions like 'review code for vulnerabilities', 'suggest fixes for XSS flaws', or 'audit authentication flows'. It tells you the topic area but not what it actually does.	2 / 3
Completeness	The 'when' is well-addressed via the 'Triggers on:' clause with explicit trigger terms. However, the 'what' is weak — 'Security patterns and OWASP guidelines' is vague about what concrete actions the skill performs (review? generate? fix?). It partially answers both but the 'what' is insufficient for a score of 3.	2 / 3
Trigger Term Quality	Excellent coverage of natural trigger terms users would actually say: 'security review', 'OWASP', 'XSS', 'SQL injection', 'CSRF', 'authentication', 'authorization', 'secrets management', 'input validation', 'secure coding'. These are all terms a developer would naturally use when seeking security help.	3 / 3
Distinctiveness Conflict Risk	The security domain with specific terms like OWASP, XSS, SQL injection, CSRF, and secrets management creates a clear niche that is unlikely to conflict with other skills. The trigger terms are highly specific to application security.	3 / 3
	Total	10 / 12 Passed

Validation

100%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 11 / 11 Passed

Validation for skill structure

No warnings or errors.

Repository: NeverSight/skills_feed
Commit: c7b7905

Reviewed: about 3 hours ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.