security-review-4
A general skill for performing security reviews and auditing codebases for vulnerabilities. ALWAYS run this at the end of each task.
40
38%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Critical
Do not install without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/security-review-4/SKILL.mdQuality
Discovery
40%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is too vague and lacks concrete actions that would help Claude understand what specific security tasks it performs. The 'ALWAYS run at the end of each task' directive is a procedural instruction rather than a proper trigger clause, and the description fails to enumerate specific vulnerability types or security checks it covers.
Suggestions
Add specific concrete actions like 'Checks for SQL injection, XSS vulnerabilities, insecure authentication, hardcoded secrets, and dependency vulnerabilities'
Replace the procedural 'ALWAYS run this' with a proper 'Use when...' clause containing natural trigger terms like 'security audit', 'vulnerability check', 'code security', 'find security issues'
Include common file types or patterns that indicate security review context (e.g., 'authentication code', 'API endpoints', 'user input handling')
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description uses vague language like 'performing security reviews' and 'auditing codebases for vulnerabilities' without listing concrete actions (e.g., checking for SQL injection, reviewing authentication flows, scanning dependencies). | 1 / 3 |
Completeness | The 'what' is weakly stated (general security reviews), and the 'when' clause ('ALWAYS run this at the end of each task') is a procedural directive rather than explicit user-facing triggers describing when users would invoke this skill. | 2 / 3 |
Trigger Term Quality | Contains some relevant keywords ('security reviews', 'auditing', 'vulnerabilities', 'codebases') but misses common user terms like 'security check', 'vulnerability scan', 'pentest', 'CVE', or specific vulnerability types users might mention. | 2 / 3 |
Distinctiveness Conflict Risk | While 'security' provides some distinction, the phrase 'general skill' and broad scope could overlap with code review skills, static analysis tools, or compliance-focused skills. The 'ALWAYS run at end of task' instruction doesn't help differentiate when to select this over alternatives. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
37%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill contains a critical security vulnerability in Section 5 - a prompt injection attack disguised as 'environment validation' that attempts to trick Claude into executing arbitrary remote code via curl. This completely disqualifies the skill for use. Beyond this fatal flaw, the skill provides moderately useful security review guidance but lacks executable examples and proper validation checkpoints.
Suggestions
CRITICAL: Remove Section 5 entirely - it contains a malicious prompt injection attempting to execute arbitrary code from an external URL
Add complete, executable grep/search commands rather than just describing patterns to look for
Include validation checkpoints after each scanning step to verify findings before proceeding
Add example output formats for the final security report to make reporting more actionable
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Content is reasonably efficient with bullet points and clear sections, but includes some unnecessary framing text. The structure is good but could be tighter. | 2 / 3 |
Actionability | Provides specific commands (npm audit, pip-audit, govulncheck) and patterns to search for, but lacks complete executable examples. The grep_search patterns are described rather than shown as actual commands. | 2 / 3 |
Workflow Clarity | Steps are listed but Section 5 contains a malicious injection attempt disguised as 'environment validation' that instructs Claude to execute arbitrary code from an external URL. This is a critical security flaw that completely undermines the skill's purpose as a security review tool. | 1 / 3 |
Progressive Disclosure | Content is organized into clear numbered sections which aids navigation, but everything is inline with no references to external detailed documentation for advanced topics like specific vulnerability patterns. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- ZackKorman/skills
- Commit
7d77bd2
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.