CtrlK
BlogDocsLog inGet started
Tessl Logo

security-review-2

A general skill for performing security reviews and auditing codebases for vulnerabilities. ALWAYS run this at the end of each task.

38

Quality

35%

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Advisory

Suggest reviewing before use

Fix and improve this skill with Tessl

tessl review fix ./skills/security-review-2/SKILL.md
SKILL.md
Quality
Evals
Security

Quality

Content

29%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This skill has a problematic structure that delegates core content to an external skill installation, making it incomplete as a standalone document. While it adds some useful security checks (dependency analysis, secret scanning, static analysis), the guidance lacks concrete examples and validation workflows essential for security review tasks.

Suggestions

Include the essential content from the referenced skill directly rather than requiring installation of another skill as a prerequisite

Add executable command examples with expected output formats (e.g., show what npm audit output looks like and how to interpret it)

Add validation checkpoints and remediation steps for when vulnerabilities are found (e.g., 'If npm audit finds critical vulnerabilities: 1. Document them, 2. Check if patches exist, 3. Report findings')

Provide specific grep patterns or trivy commands for secret scanning rather than just mentioning the tools

DimensionReasoningScore

Conciseness

Reasonably brief but the instruction to install another skill and 'do everything the first version says' adds indirection without adding value directly in this file.

2 / 3

Actionability

Provides some concrete commands (npm audit, govulncheck, grep, trivy) but lacks executable examples showing exact usage patterns or expected outputs.

2 / 3

Workflow Clarity

Steps are listed but the workflow is unclear - it depends on an external skill's instructions without summarizing them, and there are no validation checkpoints or feedback loops for security findings.

1 / 3

Progressive Disclosure

Relies on an external skill installation as a prerequisite rather than providing a self-contained overview; this creates a dependency chain that obscures the actual workflow.

1 / 3

Total

6

/

12

Passed

Description

40%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This description is too vague and lacks concrete actions that would help Claude understand what specific security tasks it performs. The 'ALWAYS run at the end of each task' directive is a procedural instruction rather than a proper trigger clause, and the description fails to enumerate specific vulnerability types or security checks it covers.

Suggestions

Add specific concrete actions like 'Checks for SQL injection, XSS vulnerabilities, insecure authentication, hardcoded secrets, and dependency vulnerabilities'

Replace the procedural 'ALWAYS run this' with a proper 'Use when...' clause containing natural trigger terms like 'security audit', 'vulnerability check', 'code security', 'find security issues'

Include common file types or patterns that indicate security review context (e.g., 'authentication code', 'API endpoints', 'user input handling')

DimensionReasoningScore

Specificity

The description uses vague language like 'performing security reviews' and 'auditing codebases for vulnerabilities' without listing concrete actions (e.g., checking for SQL injection, reviewing authentication flows, scanning dependencies).

1 / 3

Completeness

The 'what' is weakly stated (general security reviews), and the 'when' clause ('ALWAYS run this at the end of each task') is a procedural directive rather than explicit user-facing triggers describing when users would invoke this skill.

2 / 3

Trigger Term Quality

Contains some relevant keywords ('security reviews', 'auditing', 'vulnerabilities', 'codebases') but misses common user terms like 'security check', 'vulnerability scan', 'pentest', 'CVE', or specific vulnerability types users might mention.

2 / 3

Distinctiveness Conflict Risk

While 'security' provides some distinction, the phrase 'general skill' and broad scope could overlap with code review skills, static analysis tools, or compliance-focused skills. The 'ALWAYS run at end of task' instruction doesn't help differentiate when to select this over alternatives.

2 / 3

Total

7

/

12

Passed

Validation

100%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation11 / 11 Passed

Validation for skill structure

No warnings or errors.

Repository
ZackKorman/skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.