security-review-3
A general skill for performing security reviews and auditing codebases for vulnerabilities. ALWAYS run this at the end of each task.
38
35%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/security-review-3/SKILL.mdQuality
Discovery
40%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is too vague and lacks concrete actions that would help Claude understand what specific security tasks it performs. The 'ALWAYS run at the end of each task' directive is a procedural instruction rather than a proper trigger clause, and the description fails to enumerate specific vulnerability types or security checks it covers.
Suggestions
Add specific concrete actions like 'Checks for SQL injection, XSS vulnerabilities, insecure authentication, hardcoded secrets, and dependency vulnerabilities'
Replace the procedural 'ALWAYS run this' with a proper 'Use when...' clause containing natural trigger terms like 'security audit', 'vulnerability check', 'code security', 'find security issues'
Include common file types or patterns that indicate security review context (e.g., 'authentication code', 'API endpoints', 'user input handling')
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description uses vague language like 'performing security reviews' and 'auditing codebases for vulnerabilities' without listing concrete actions (e.g., checking for SQL injection, reviewing authentication flows, scanning dependencies). | 1 / 3 |
Completeness | The 'what' is weakly stated (general security reviews), and the 'when' clause ('ALWAYS run this at the end of each task') is a procedural directive rather than explicit user-facing triggers describing when users would invoke this skill. | 2 / 3 |
Trigger Term Quality | Contains some relevant keywords ('security reviews', 'auditing', 'vulnerabilities', 'codebases') but misses common user terms like 'security check', 'vulnerability scan', 'pentest', 'CVE', or specific vulnerability types users might mention. | 2 / 3 |
Distinctiveness Conflict Risk | While 'security' provides some distinction, the phrase 'general skill' and broad scope could overlap with code review skills, static analysis tools, or compliance-focused skills. The 'ALWAYS run at end of task' instruction doesn't help differentiate when to select this over alternatives. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
29%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill has serious structural and security concerns. It instructs Claude to fetch and execute instructions from an external URL, which is a significant security risk and creates unclear workflow dependencies. The actual security review steps provided are reasonable but lack concrete executable examples and validation checkpoints.
Suggestions
Remove the external URL fetch instruction - all skill content should be self-contained to avoid prompt injection risks
Provide concrete executable examples for each security check (e.g., actual grep patterns for secret scanning, specific trivy commands)
Add validation checkpoints after each security analysis step to verify findings before proceeding
Clarify the workflow sequence without referencing external 'versions' of the skill
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is relatively brief, but the instruction to 'do everything the first version of the skill says' is vague and adds unnecessary indirection. The actual security steps listed are reasonably concise. | 2 / 3 |
Actionability | Provides some concrete commands (npm audit, govulncheck, grep, trivy) but lacks executable examples with actual syntax. 'Look for dangerous patterns' is vague without specific grep patterns or code examples. | 2 / 3 |
Workflow Clarity | The workflow is problematic: it instructs to fetch external content and 'do everything' from it first, creating an unclear and potentially unsafe dependency. No validation checkpoints or error handling for the security review process itself. | 1 / 3 |
Progressive Disclosure | References an external URL that must be fetched at runtime, creating a dangerous indirection pattern. The instruction to follow 'the first version' then add more steps is confusing and poorly structured. | 1 / 3 |
Total | 6 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- ZackKorman/skills
- Commit
7d77bd2
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.