security-and-hardening
Hardens code against vulnerabilities. Use when handling user input, authentication, data storage, or external integrations. Use when building any feature that accepts untrusted data, manages user sessions, or interacts with third-party services.
62
73%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/security-and-hardening/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a solid description with strong trigger term coverage and good completeness thanks to explicit 'Use when...' clauses. Its main weaknesses are the lack of specific concrete actions (what exactly does 'hardens' mean in practice?) and moderate overlap risk with other domain-specific skills covering authentication, data storage, or integrations.
Suggestions
Add specific concrete actions like 'sanitizes inputs, prevents SQL injection, implements CSRF protection, encrypts sensitive data, validates authentication tokens' to improve specificity.
Consider adding security-specific trigger terms like 'vulnerability', 'XSS', 'SQL injection', 'OWASP', 'security review' to further distinguish from non-security skills that also deal with authentication or data storage.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (security hardening) and mentions several areas (user input, authentication, data storage, external integrations), but doesn't list specific concrete actions like 'sanitize inputs, implement CSRF protection, encrypt passwords, validate tokens'. 'Hardens code against vulnerabilities' is somewhat vague as a capability statement. | 2 / 3 |
Completeness | Clearly answers both 'what' (hardens code against vulnerabilities) and 'when' with explicit 'Use when...' clauses covering multiple trigger scenarios (handling user input, authentication, data storage, external integrations, untrusted data, user sessions, third-party services). | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms that users would actually say: 'user input', 'authentication', 'data storage', 'external integrations', 'untrusted data', 'user sessions', 'third-party services'. These cover a good range of security-related scenarios users would naturally describe. | 3 / 3 |
Distinctiveness Conflict Risk | While security hardening is a reasonably distinct niche, terms like 'authentication', 'data storage', and 'external integrations' could overlap with skills specifically focused on those domains (e.g., an authentication skill, a database skill, or an API integration skill). The description could conflict with feature-building skills that also handle these areas. | 2 / 3 |
Total | 10 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid, highly actionable security reference with excellent executable code examples covering the OWASP Top 10, input validation, rate limiting, and secrets management. Its main weaknesses are length (could be more concise by removing motivational content and obvious comments) and structure (monolithic rather than properly layered with references). The verification checklist is good but lacks explicit feedback loops for remediation.
Suggestions
Remove the 'Common Rationalizations' table — it's motivational content that doesn't help Claude write secure code and wastes ~15 lines of context.
Split detailed OWASP examples and input validation patterns into a referenced file (e.g., `references/owasp-patterns.md`) and keep only the most critical 2-3 examples inline.
Add explicit feedback loops to the Verification section: for each failing check, specify what to do (e.g., 'If npm audit shows critical: see Triaging section above, fix before merging').
Remove inline comments that explain things Claude already knows (e.g., '// Not accessible via JavaScript', '// HTTPS only', '// 5MB') to improve token efficiency.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is fairly long (~300 lines) and includes some content Claude already knows (e.g., the 'Common Rationalizations' table is motivational rather than instructional, and explanations like 'Not accessible via JavaScript' next to httpOnly are unnecessary). However, most content is actionable code examples and checklists that earn their place. Could be tightened by ~20-30%. | 2 / 3 |
Actionability | Excellent executable TypeScript examples throughout — parameterized queries, bcrypt usage, Zod validation, helmet configuration, rate limiting, file upload validation. All code is copy-paste ready with real libraries and realistic patterns. The npm audit triage decision tree is also concretely actionable. | 3 / 3 |
Workflow Clarity | The skill provides good checklists (Security Review Checklist, Verification section) and the npm audit triage decision tree is well-structured. However, there's no clear sequenced workflow for implementing security in a new feature — it reads more as a reference catalog than a step-by-step process. The verification checklist at the end partially compensates but lacks explicit feedback loops (e.g., what to do when a check fails). | 2 / 3 |
Progressive Disclosure | The content references `references/security-checklist.md` in a 'See Also' section, but no bundle files are provided, making this a dead reference. The SKILL.md itself is quite long and monolithic — the OWASP section, input validation patterns, and rate limiting could reasonably be split into separate reference files. The section headers provide decent navigation but the file would benefit from a more concise overview with deeper content offloaded. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- addyosmani/agent-skills
- Commit
f17c6e8
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.