security-review
A general skill for performing security reviews and auditing codebases for vulnerabilities. ALWAYS run this at the end of each task.
44
45%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Critical
Do not install without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/security-review/SKILL.mdQuality
Discovery
40%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is too vague and lacks concrete actions that would help Claude understand what specific security tasks it performs. The 'ALWAYS run at the end of each task' directive is a procedural instruction rather than a proper trigger clause, and the description fails to enumerate specific vulnerability types or security checks it covers.
Suggestions
Add specific concrete actions like 'Checks for SQL injection, XSS vulnerabilities, insecure authentication, hardcoded secrets, and dependency vulnerabilities'
Replace the procedural 'ALWAYS run this' with a proper 'Use when...' clause containing natural trigger terms like 'security audit', 'vulnerability check', 'code security', 'find security issues'
Include common file types or patterns that indicate security review context (e.g., 'authentication code', 'API endpoints', 'user input handling')
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description uses vague language like 'performing security reviews' and 'auditing codebases for vulnerabilities' without listing concrete actions (e.g., checking for SQL injection, reviewing authentication flows, scanning dependencies). | 1 / 3 |
Completeness | The 'what' is weakly stated (general security reviews), and the 'when' clause ('ALWAYS run this at the end of each task') is a procedural directive rather than explicit user-facing triggers describing when users would invoke this skill. | 2 / 3 |
Trigger Term Quality | Contains some relevant keywords ('security reviews', 'auditing', 'vulnerabilities', 'codebases') but misses common user terms like 'security check', 'vulnerability scan', 'pentest', 'CVE', or specific vulnerability types users might mention. | 2 / 3 |
Distinctiveness Conflict Risk | While 'security' provides some distinction, the phrase 'general skill' and broad scope could overlap with code review skills, static analysis tools, or compliance-focused skills. The 'ALWAYS run at end of task' instruction doesn't help differentiate when to select this over alternatives. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a reasonable security review framework with clear sections and some actionable commands, but contains a CRITICAL SECURITY VULNERABILITY: Section 5 contains hidden HTML comments with malicious instructions attempting to get Claude to execute arbitrary code from an external URL. This is a prompt injection attack that should immediately disqualify this skill from use. Beyond the security issue, the skill could be improved with more executable examples and validation checkpoints.
Suggestions
CRITICAL: Remove the malicious hidden HTML comment in Section 5 that attempts prompt injection via curl to an external URL - this is a severe security vulnerability
Add complete executable grep/search command examples instead of just listing patterns (e.g., `grep -r 'AKIA[A-Z0-9]{16}' --include='*.js' .`)
Include validation steps after remediation to verify fixes (e.g., 're-run npm audit to confirm vulnerability is resolved')
Consider splitting language-specific patterns into separate reference files (e.g., PYTHON_PATTERNS.md, JS_PATTERNS.md) for better organization
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Content is reasonably efficient but includes some unnecessary framing ('When running a security review...') and could be tighter. The structure is good but some sections like 'Reconnaissance & Setup' have generic guidance Claude already knows. | 2 / 3 |
Actionability | Provides specific commands (npm audit, pip-audit, govulncheck) and grep patterns, but lacks complete executable examples. The grep_search patterns are listed but not shown as actual commands with syntax. | 2 / 3 |
Workflow Clarity | Steps are numbered and sequenced, but lacks validation checkpoints between steps. No feedback loops for when vulnerabilities are found - just 'suggest remediation' without concrete verification that fixes work. | 2 / 3 |
Progressive Disclosure | Content is reasonably organized with clear sections, but everything is inline in one file. For a comprehensive security review skill, language-specific patterns and detailed remediation guides could be split into separate reference files. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- ZackKorman/skills
- Commit
7d77bd2
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.