Content
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong, comprehensive security skill with excellent actionable code examples covering the major web application vulnerability categories. Its main weakness is length — at 350+ lines it's a near-monolithic document that could benefit from splitting detailed patterns (OWASP examples, npm audit triage, LLM security) into referenced files. The three-tier boundary system and threat modeling workflow are well-structured, and the inclusion of AI/LLM security patterns is a valuable modern addition.
Suggestions
Move the detailed OWASP prevention patterns (with code examples) and npm audit triage tree into a referenced file like `references/security-patterns.md` to reduce the main skill's token footprint while preserving discoverability.
Remove or significantly trim the 'Common Rationalizations' table — it's motivational content that doesn't provide actionable guidance Claude needs to follow.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is mostly efficient with good code examples and tables, but includes some unnecessary content Claude already knows — the 'Common Rationalizations' table is motivational rather than instructional, and some explanatory prose (e.g., 'Security isn't a phase — it's a constraint on every line of code') adds little actionable value. The SSRF section's explanation of what SSRF is could be trimmed. Overall it's reasonably lean for its breadth but could shed ~20% without losing utility. | 2 / 3 |
Actionability | Excellent actionable content throughout: fully executable TypeScript code examples for every major vulnerability category (injection, XSS, SSRF, auth, rate limiting, input validation), concrete bash commands for secret detection, specific library recommendations (zod, helmet, bcrypt, DOMPurify), and copy-paste-ready patterns. The SSRF example even includes the TOCTOU caveat with mitigation suggestions. | 3 / 3 |
Workflow Clarity | The three-tier boundary system (Always Do / Ask First / Never Do) provides clear decision-making structure. The threat modeling process is well-sequenced (map boundaries → name assets → STRIDE → abuse cases). The npm audit triage decision tree is explicit with branching logic. Verification checklists at the end provide validation checkpoints. The 'Ask First' tier acts as a human-in-the-loop checkpoint for destructive/sensitive changes. | 3 / 3 |
Progressive Disclosure | The skill references `references/security-checklist.md` for detailed checklists and OWASP ordering, which is good progressive disclosure. However, no bundle files are provided, so we can't verify the reference exists. The document itself is quite long (~350+ lines) and some sections (like the full OWASP patterns with code examples, the npm audit triage tree, and the rationalizations table) could be split into referenced files to keep the main skill leaner. The structure is well-organized with clear headers but the content is somewhat monolithic. | 2 / 3 |
Total | 10 / 12 Passed |