bk-monitor-security-audit
对前端代码进行安全审计,检测 XSS、CSRF 等漏洞。当用户请求代码审查或询问代码安全性时使用。
76
70%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./bcs-services/bcs-project-manager/.cursor/skills/bk-monitor-security-audit/SKILL.mdQuality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description adequately covers the what and when aspects with explicit trigger guidance, earning full marks for completeness. However, it lacks specificity in concrete actions (relying on vague '等漏洞') and could benefit from more natural trigger terms and variations. The frontend security niche is reasonably distinct but the generic 'code review' trigger creates some conflict risk.
Suggestions
Replace '等漏洞' with specific vulnerability types like 'SQL injection, insecure dependencies, sensitive data exposure' to improve specificity
Add more natural trigger terms such as 'security scan', 'vulnerability check', 'secure coding', '.js files', '.vue files' to improve discoverability
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (frontend code security audit) and mentions specific vulnerability types (XSS, CSRF), but uses '等' (etc.) which is vague. Does not list comprehensive concrete actions beyond 'audit' and 'detect'. | 2 / 3 |
Completeness | Clearly answers both what (performs security audits on frontend code, detects XSS/CSRF vulnerabilities) and when (when user requests code review or asks about code security) with explicit trigger guidance. | 3 / 3 |
Trigger Term Quality | Includes some relevant terms like '代码审查' (code review), '代码安全性' (code security), 'XSS', 'CSRF', but missing common variations like 'vulnerability scan', 'security check', 'penetration test', or file extensions like '.js', '.html'. | 2 / 3 |
Distinctiveness Conflict Risk | Focuses on frontend security which is somewhat specific, but '代码审查' (code review) is generic and could overlap with general code review skills. The security focus helps but 'frontend' scope could still conflict with general security audit skills. | 2 / 3 |
Total | 9 / 12 Passed |
Implementation
72%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured, concise skill that effectively uses progressive disclosure to reference detailed materials. However, it lacks concrete code examples for detecting vulnerabilities and could benefit from explicit validation steps in the workflow. The duplicate '可用资源' section should be removed.
Suggestions
Add concrete code examples showing how to detect common vulnerabilities (e.g., regex patterns for innerHTML usage, dangerous URL patterns)
Include validation checkpoints in the workflow, such as 'verify all high-severity findings before generating report' or a severity classification step
Remove the duplicate '📦 可用资源' section at the end of the file
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is lean and efficient, providing only essential information without explaining concepts Claude already knows (like what XSS or CSRF are). Every section serves a clear purpose. | 3 / 3 |
Actionability | The skill provides a checklist and workflow but lacks concrete code examples or specific commands. It references external files for detailed rules but doesn't include executable guidance in the main skill. | 2 / 3 |
Workflow Clarity | The 3-step workflow is present but lacks validation checkpoints. For security auditing (a potentially high-stakes operation), there's no explicit verification step or feedback loop for handling discovered vulnerabilities. | 2 / 3 |
Progressive Disclosure | Clear structure with well-signaled one-level-deep references to audit-rules.md, report-template.md, and security-checklist.md. The main skill serves as a concise overview pointing to detailed materials. | 3 / 3 |
Total | 10 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- TencentBlueKing/bk-bcs
- Commit
b08ac38
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.