security-audit

Audits Move contracts for security vulnerabilities before deployment using 7-category checklist. Triggers on: 'audit contract', 'security check', 'review security', 'check for vulnerabilities', 'security audit', 'is this secure', 'find security issues'.

1.41x

Quality

76%

Does it follow best practices?

Impact

95%

1.41x

Average score across 3 eval scenarios

Securityby

Passed

No known issues

Fix and improve this skill with Tessl

tessl review fix ./.claude/skills/security-audit/SKILL.md

Quality

Content

62%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The skill is highly actionable with excellent executable code examples and a clear multi-step workflow with validation checkpoints. However, it suffers significantly from verbosity and redundancy — the same security patterns are repeated across multiple sections (code examples, vulnerability table, manual checks, ALWAYS/NEVER rules), inflating the token cost substantially. The content would benefit greatly from consolidation and splitting detailed reference material into separate files.

Suggestions

Consolidate redundant content: the vulnerability table, manual checks section, and ALWAYS/NEVER rules largely repeat what's already covered in the step-by-step checklist with code examples. Merge these into a single concise reference or move the detailed examples to a separate file.

Move the detailed code examples for each audit category into a separate AUDIT_EXAMPLES.md file, keeping only the checklist items and key patterns in the main SKILL.md.

Remove the audit report template from the main file and place it in a separate REPORT_TEMPLATE.md, referencing it with a single link.

Dimension	Reasoning	Score
Conciseness	The skill is extremely verbose at ~300+ lines. There is massive redundancy: the same patterns (overflow checks, access control, ownership verification) are repeated across the checklist, code examples, the vulnerability table, the manual checks section, and the ALWAYS/NEVER rules. The audit report template duplicates the checklist. Much of this could be consolidated significantly.	1 / 3
Actionability	The skill provides fully executable Move code examples with correct/incorrect patterns clearly marked, specific bash commands for running tests and coverage, concrete checklist items, and a complete audit report template. Every category has copy-paste ready code.	3 / 3
Workflow Clarity	The workflow is clearly sequenced as Steps 1-8 with explicit validation checkpoints (compile, test, coverage checks). The audit report template serves as a verification artifact, and the skill explicitly states all items must pass before deployment with clear pass/fail criteria.	3 / 3
Progressive Disclosure	References to external files (SECURITY.md, OBJECTS.md) and related skills are provided at the end, which is good. However, the skill itself is monolithic — the detailed code examples for each audit category, the vulnerability table, the report template, and the manual checks could all be split into separate referenced files to keep the main skill lean.	2 / 3
	Total	9 / 12 Passed

Description

89%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a strong description with excellent trigger term coverage and clear completeness, explicitly stating both what the skill does and when to use it. The main weakness is that the specificity could be improved by listing the 7 categories or concrete actions (e.g., 'checks for reentrancy, access control issues, arithmetic overflow'). Overall it would perform well in skill selection among many candidates.

Suggestions

Expand specificity by listing some of the 7 audit categories (e.g., 'access control, reentrancy, arithmetic overflow') so Claude can better match nuanced user requests to this skill.

Dimension	Reasoning	Score
Specificity	It names the domain (Move contracts, security vulnerabilities) and mentions a '7-category checklist' which hints at structure, but doesn't list the specific actions or categories involved beyond 'audits'.	2 / 3
Completeness	Clearly answers both 'what' (audits Move contracts for security vulnerabilities using a 7-category checklist) and 'when' (explicit trigger phrases listed with 'Triggers on:' clause).	3 / 3
Trigger Term Quality	Excellent coverage of natural trigger terms users would say: 'audit contract', 'security check', 'review security', 'check for vulnerabilities', 'security audit', 'is this secure', 'find security issues' — these are highly natural phrases a user would use.	3 / 3
Distinctiveness Conflict Risk	Highly distinctive — targets Move contracts specifically (not general code review or Solidity auditing), with security audit focus and explicit trigger terms that clearly delineate its niche.	3 / 3
	Total	11 / 12 Passed

Validation

81%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 9 / 11 Passed

Validation for skill structure

Criteria	Description	Result
metadata_version	'metadata.version' is missing	Warning
metadata_field	'metadata' should map string keys to string values	Warning

	Total	9 / 11 Passed

Repository: aave/aptos-aave-v3
Commit: 919362b

Reviewed: about 1 month ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.