security-guidance
Security-first development guidance based on OWASP ASVS (Application Security Verification Standard). Use this skill automatically when planning or implementing any code that touches user input, authentication, data persistence, network communication, file I/O, cryptography, or access control. This skill ensures all generated code adheres to industry-standard security practices with explicit references to applied guidance.
64
76%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/security-guidance/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description has strong completeness with explicit 'Use when' triggers and good keyword coverage across security-related domains. Its main weaknesses are the lack of specific concrete actions (it describes guidance rather than specific operations) and an overly broad scope that could cause it to trigger for nearly any code-related task, creating potential conflicts with more focused skills.
Suggestions
Add specific concrete actions like 'applies input validation, implements secure authentication flows, enforces parameterized queries, configures TLS settings' instead of just saying 'guidance'.
Narrow the trigger scope or add priority/exclusion language to reduce conflict risk, e.g., 'Use as a supplementary check when security is the primary concern, not for general coding tasks that happen to involve these areas'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (security/OWASP ASVS) and lists areas it covers (user input, authentication, data persistence, etc.), but it doesn't list specific concrete actions like 'validate input against allowlists', 'implement CSRF tokens', or 'hash passwords with bcrypt'. The actions are described abstractly as 'guidance' and 'ensures code adheres to practices'. | 2 / 3 |
Completeness | Clearly answers both 'what' (security-first development guidance based on OWASP ASVS, ensuring code adheres to industry-standard security practices) and 'when' (explicitly states 'Use this skill automatically when planning or implementing any code that touches user input, authentication, data persistence, network communication, file I/O, cryptography, or access control'). | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms that users and Claude would encounter: 'user input', 'authentication', 'data persistence', 'network communication', 'file I/O', 'cryptography', 'access control', 'OWASP', 'ASVS', 'security'. These cover a broad range of natural terms users would use when discussing security-related code. | 3 / 3 |
Distinctiveness Conflict Risk | While the OWASP ASVS focus is distinctive, the broad scope covering 'any code that touches user input, authentication, data persistence, network communication, file I/O, cryptography, or access control' is extremely wide and could conflict with more specific skills for authentication, database operations, file handling, or networking. Nearly any backend code could trigger this skill. | 2 / 3 |
Total | 10 / 12 Passed |
Implementation
70%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-organized security reference routing skill with excellent progressive disclosure and a clear workflow including an escalation/validation step. Its main weaknesses are the lack of any concrete code examples in the skill body itself (all actionability is deferred to reference files) and the token cost of 60+ repetitively formatted index entries that could be more compactly represented. The skill functions well as a lookup index but provides little standalone actionable guidance.
Suggestions
Add 1-2 concrete code examples in the skill body showing what a correctly cited secure implementation looks like (e.g., a password hashing example with inline ASVS citation), so Claude has a model to follow without needing to read a reference file first.
Consider consolidating the reference index into a more compact format (e.g., a markdown table with columns for Section, Description, Triggers, and File Path) to significantly reduce token count while preserving the same information.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The index is well-structured and each entry is reasonably concise, but the sheer volume of 60+ nearly identically formatted index entries creates significant token bloat. Many entries could be consolidated into a table or grouped more tightly. The 'When to use' triggers are useful but repetitive in structure. | 2 / 3 |
Actionability | The workflow steps (identify, read, apply, cite) are concrete and the inline citation example is helpful. However, the skill contains zero executable code examples — no demonstration of what secure code looks like vs. insecure code. All actual guidance is deferred to reference files, making the skill itself more of a routing table than actionable instruction. | 2 / 3 |
Workflow Clarity | The 4-step workflow is clearly sequenced and unambiguous. The escalation section serves as an explicit validation checkpoint — if no section matches or guidance is unclear, Claude must stop and flag the gap rather than proceeding. This is a well-designed feedback loop for a guidance-routing skill. | 3 / 3 |
Progressive Disclosure | The skill is an exemplary progressive disclosure structure: a concise overview with workflow, followed by an index of clearly signaled one-level-deep references. Each entry has a description, trigger conditions, and a direct file path. However, no bundle files were provided to verify the referenced paths actually exist, so this is scored on structure alone. | 3 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (997 lines); consider splitting into references/ and linking | Warning |
Total | 10 / 11 Passed | |
- Repository
- OWASP/secure-agent-playbook
- Commit
3f4fcb6
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.