security-audit
Audits Move contracts for security vulnerabilities before deployment using 7-category checklist. Triggers on: 'audit contract', 'security check', 'review security', 'check for vulnerabilities', 'security audit', 'is this secure', 'find security issues'.
82
76%
Does it follow best practices?
Impact
95%
1.41xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./.claude/skills/security-audit/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong description with excellent trigger term coverage and clear completeness, explicitly stating both what the skill does and when to use it. The main weakness is that the specificity could be improved by listing the 7 categories or concrete actions (e.g., 'checks for reentrancy, access control issues, arithmetic overflow'). Overall it would perform well in skill selection among many candidates.
Suggestions
Expand specificity by listing some of the 7 audit categories (e.g., 'access control, reentrancy, arithmetic overflow') so Claude can better match nuanced user requests to this skill.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | It names the domain (Move contracts, security vulnerabilities) and mentions a '7-category checklist' which hints at structure, but doesn't list the specific actions or categories involved beyond 'audits'. | 2 / 3 |
Completeness | Clearly answers both 'what' (audits Move contracts for security vulnerabilities using a 7-category checklist) and 'when' (explicit trigger phrases listed with 'Triggers on:' clause). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms users would say: 'audit contract', 'security check', 'review security', 'check for vulnerabilities', 'security audit', 'is this secure', 'find security issues' — these are highly natural phrases a user would use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive — targets Move contracts specifically (not general code review or Solidity auditing), with security audit focus and explicit trigger terms that clearly delineate its niche. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
62%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill is highly actionable with excellent executable code examples and a clear multi-step workflow with validation checkpoints. However, it suffers significantly from verbosity and redundancy — the same security patterns are repeated across multiple sections (code examples, vulnerability table, manual checks, ALWAYS/NEVER rules), inflating the token cost substantially. The content would benefit greatly from consolidation and splitting detailed reference material into separate files.
Suggestions
Consolidate redundant content: the vulnerability table, manual checks section, and ALWAYS/NEVER rules largely repeat what's already covered in the step-by-step checklist with code examples. Merge these into a single concise reference or move the detailed examples to a separate file.
Move the detailed code examples for each audit category into a separate AUDIT_EXAMPLES.md file, keeping only the checklist items and key patterns in the main SKILL.md.
Remove the audit report template from the main file and place it in a separate REPORT_TEMPLATE.md, referencing it with a single link.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~300+ lines. There is massive redundancy: the same patterns (overflow checks, access control, ownership verification) are repeated across the checklist, code examples, the vulnerability table, the manual checks section, and the ALWAYS/NEVER rules. The audit report template duplicates the checklist. Much of this could be consolidated significantly. | 1 / 3 |
Actionability | The skill provides fully executable Move code examples with correct/incorrect patterns clearly marked, specific bash commands for running tests and coverage, concrete checklist items, and a complete audit report template. Every category has copy-paste ready code. | 3 / 3 |
Workflow Clarity | The workflow is clearly sequenced as Steps 1-8 with explicit validation checkpoints (compile, test, coverage checks). The audit report template serves as a verification artifact, and the skill explicitly states all items must pass before deployment with clear pass/fail criteria. | 3 / 3 |
Progressive Disclosure | References to external files (SECURITY.md, OBJECTS.md) and related skills are provided at the end, which is good. However, the skill itself is monolithic — the detailed code examples for each audit category, the vulnerability table, the report template, and the manual checks could all be split into separate referenced files to keep the main skill lean. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
metadata_version | 'metadata.version' is missing | Warning |
metadata_field | 'metadata' should map string keys to string values | Warning |
Total | 9 / 11 Passed | |
- Repository
- aave/aptos-aave-v3
- Commit
919362b
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.