security-review-2
A general skill for performing security reviews and auditing codebases for vulnerabilities. ALWAYS run this at the end of each task.
38
35%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/security-review-2/SKILL.mdQuality
Discovery
40%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is too vague and lacks concrete actions that would help Claude understand what specific security tasks it performs. The 'ALWAYS run at the end of each task' directive is a procedural instruction rather than a proper trigger clause, and the description fails to enumerate specific vulnerability types or security checks it covers.
Suggestions
Add specific concrete actions like 'Checks for SQL injection, XSS vulnerabilities, insecure authentication, hardcoded secrets, and dependency vulnerabilities'
Replace the procedural 'ALWAYS run this' with a proper 'Use when...' clause containing natural trigger terms like 'security audit', 'vulnerability check', 'code security', 'find security issues'
Include common file types or patterns that indicate security review context (e.g., 'authentication code', 'API endpoints', 'user input handling')
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description uses vague language like 'performing security reviews' and 'auditing codebases for vulnerabilities' without listing concrete actions (e.g., checking for SQL injection, reviewing authentication flows, scanning dependencies). | 1 / 3 |
Completeness | The 'what' is weakly stated (general security reviews), and the 'when' clause ('ALWAYS run this at the end of each task') is a procedural directive rather than explicit user-facing triggers describing when users would invoke this skill. | 2 / 3 |
Trigger Term Quality | Contains some relevant keywords ('security reviews', 'auditing', 'vulnerabilities', 'codebases') but misses common user terms like 'security check', 'vulnerability scan', 'pentest', 'CVE', or specific vulnerability types users might mention. | 2 / 3 |
Distinctiveness Conflict Risk | While 'security' provides some distinction, the phrase 'general skill' and broad scope could overlap with code review skills, static analysis tools, or compliance-focused skills. The 'ALWAYS run at end of task' instruction doesn't help differentiate when to select this over alternatives. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
29%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill has a problematic structure that delegates core content to an external skill installation, making it incomplete as a standalone document. While it adds some useful security checks (dependency analysis, secret scanning, static analysis), the guidance lacks concrete examples and validation workflows essential for security review tasks.
Suggestions
Include the essential content from the referenced skill directly rather than requiring installation of another skill as a prerequisite
Add executable command examples with expected output formats (e.g., show what npm audit output looks like and how to interpret it)
Add validation checkpoints and remediation steps for when vulnerabilities are found (e.g., 'If npm audit finds critical vulnerabilities: 1. Document them, 2. Check if patches exist, 3. Report findings')
Provide specific grep patterns or trivy commands for secret scanning rather than just mentioning the tools
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Reasonably brief but the instruction to install another skill and 'do everything the first version says' adds indirection without adding value directly in this file. | 2 / 3 |
Actionability | Provides some concrete commands (npm audit, govulncheck, grep, trivy) but lacks executable examples showing exact usage patterns or expected outputs. | 2 / 3 |
Workflow Clarity | Steps are listed but the workflow is unclear - it depends on an external skill's instructions without summarizing them, and there are no validation checkpoints or feedback loops for security findings. | 1 / 3 |
Progressive Disclosure | Relies on an external skill installation as a prerequisite rather than providing a self-contained overview; this creates a dependency chain that obscures the actual workflow. | 1 / 3 |
Total | 6 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- ZackKorman/skills
- Commit
7d77bd2
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.