code-review-security
Security-focused code review mapped to OWASP Top 10 and ASVS. Use when reviewing pull requests, auditing files or modules for vulnerabilities, or performing pre-merge security gate checks. Covers injection, auth, authorization, cryptography, data exposure, misconfiguration, and deserialization.
68
82%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Risky
Do not use without reviewing
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly communicates its purpose, scope, and trigger conditions. It uses third person voice, provides specific concrete actions, names relevant security frameworks (OWASP Top 10, ASVS), and includes an explicit 'Use when' clause with natural trigger terms. The enumeration of covered vulnerability categories further strengthens both specificity and distinctiveness.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'reviewing pull requests', 'auditing files or modules for vulnerabilities', 'pre-merge security gate checks'. Also enumerates specific vulnerability categories: injection, auth, authorization, cryptography, data exposure, misconfiguration, and deserialization. | 3 / 3 |
Completeness | Clearly answers both 'what' (security-focused code review mapped to OWASP Top 10 and ASVS, covering specific vulnerability categories) and 'when' (explicit 'Use when' clause specifying pull requests, auditing files/modules, and pre-merge security gate checks). | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms users would say: 'pull requests', 'security review', 'code review', 'vulnerabilities', 'OWASP', 'ASVS', 'security gate', 'injection', 'auth', 'cryptography', 'misconfiguration'. These cover a wide range of how users would naturally phrase security review requests. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: security-focused code review specifically mapped to OWASP Top 10 and ASVS frameworks. The combination of security review + specific standards + enumerated vulnerability categories makes it very unlikely to conflict with general code review or other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured, concise security review skill that effectively organizes vulnerability classes by OWASP priority and provides a clear multi-step workflow. Its main weaknesses are the lack of concrete executable examples (no sample vulnerable code, no sample finding output), missing validation/feedback loops in the workflow, and references to bundle files that don't exist in the provided context.
Suggestions
Add a concrete example finding showing a vulnerable code snippet, the attack scenario, and the fixed code—this would significantly boost actionability.
Include a sample output using the `templates/finding.md` format so Claude knows exactly what the expected deliverable looks like.
Add a validation step (e.g., 'Review findings for false positives by checking if input is already sanitized upstream') to create a feedback loop in the workflow.
Provide the referenced bundle files (`plays/tier1-code-analysis/code-review-security.md`, `templates/finding.md`) or inline their essential content to make the skill self-contained.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is lean and well-structured. It doesn't explain what OWASP is or how security reviews work conceptually—it assumes Claude's competence and jumps straight into the procedure. Every line adds actionable value. | 3 / 3 |
Actionability | The skill provides a clear structured checklist of vulnerability classes and steps, but lacks concrete code examples (e.g., a vulnerable snippet and its fix, or a sample finding output). It references `plays/tier1-code-analysis/code-review-security.md` and `templates/finding.md` but these aren't provided, making the guidance incomplete on its own. | 2 / 3 |
Workflow Clarity | The five steps are clearly sequenced and logically ordered by priority. However, there are no validation checkpoints or feedback loops—e.g., no step to verify findings against false positives, no re-check after fixes, and no explicit gate criteria for pass/fail on a PR security review. | 2 / 3 |
Progressive Disclosure | The skill references `plays/tier1-code-analysis/code-review-security.md` and `templates/finding.md` for deeper content, which is good progressive disclosure structure. However, no bundle files are provided, so these references are unverifiable and potentially broken. The OWASP references section is a flat list without links or clear navigation to actionable resources. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- OWASP/secure-agent-playbook
- Commit
3f4fcb6
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.