CtrlK
BlogDocsLog inGet started
Tessl Logo

security-patterns

Security patterns and OWASP guidelines. Triggers on: security review, OWASP, XSS, SQL injection, CSRF, authentication, authorization, secrets management, input validation, secure coding.

84

1.03x
Quality

Does it follow best practices?

Impact

95%

1.03x

Average score across 3 eval scenarios

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

A well-organized, highly actionable security reference with strong executable examples, undermined by restated common knowledge, a validation-free audit workflow, and references to bundle files that are not actually shipped.

Suggestions

Ship the referenced bundle files (./references/owasp-detailed.md, auth-patterns.md, crypto-patterns.md, secure-headers.md and ./scripts/security-scan.sh, dependency-audit.sh) or remove the references — currently they point to non-existent files, breaking progressive-disclosure navigation.

Add a validation/triage step to the Quick Security Audit (e.g., review each grep hit for false positives before reporting) so the batch scan has an explicit feedback loop.

Trim restated common knowledge — the OWASP Top 10 table and the generic validation/secret DO-DON'T lists — keeping only security-specific guidance Claude would not already know, to improve token efficiency.

DimensionReasoningScore

Conciseness

Presentation is tight (tables, WRONG/CORRECT code, no prose padding), but a meaningful chunk restates knowledge Claude already has — the OWASP Top 10 table and generic validation/secret DO-DON'T checklists — so not every token earns its place.

2 / 3

Actionability

Concrete, executable, copy-paste-ready guidance throughout: real bcrypt API calls, parameterized queries, textContent escaping, and actual ripgrep audit commands rather than pseudocode.

3 / 3

Workflow Clarity

The "Quick Security Audit" lists grep steps but provides no validation or triage feedback loop, and a batch codebase scan with no verification of findings caps this dimension at 2.

2 / 3

Progressive Disclosure

The body is well-sectioned and clearly signals one-level-deep references, but the referenced ./references/*.md and ./scripts/*.sh files do not exist in the bundle, so the promised navigation is broken.

2 / 3

Total

9

/

12

Passed

Description

90%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A strong, third-person description with explicit trigger guidance and natural security terms that clearly establish the skill's niche. The only weakness is the absence of concrete action verbs stating what the skill does.

DimensionReasoningScore

Specificity

It names the domain and specific topics ("Security patterns and OWASP guidelines", "XSS, SQL injection, CSRF") but uses no concrete action verbs describing what the skill does, falling short of the multi-action score-3 anchor.

2 / 3

Completeness

It states what ("Security patterns and OWASP guidelines") and gives explicit when guidance ("Triggers on: …"), answering both halves; the missing-trigger cap at 2 does not apply because trigger guidance is present.

3 / 3

Trigger Term Quality

The "Triggers on:" list (security review, OWASP, XSS, SQL injection, CSRF, authentication, authorization, secrets management) is exactly what a user would naturally say, with good coverage of common variations.

3 / 3

Distinctiveness Conflict Risk

It carves a clear web-application security niche with distinct, security-specific triggers (OWASP, XSS, CSRF), making it unlikely to fire for the wrong skill.

3 / 3

Total

11

/

12

Passed

Validation

100%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation16 / 16 Passed

Validation for skill structure

No warnings or errors.

Repository
NeverSight/skills_feed
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.