CtrlK
BlogDocsLog inGet started
Tessl Logo

security-and-hardening

Hardens code against vulnerabilities. Use when handling user input, authentication, data storage, or external integrations. Use when building any feature that accepts untrusted data, manages user sessions, or interacts with third-party services.

68

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

77%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

A highly actionable, well-sequenced security skill with executable code, clear workflows, and validation checkpoints. Its main gaps are length that could be tightened and a broken/missing reference that undermines progressive disclosure.

Suggestions

Create the referenced references/security-checklist.md and move the inline Security Review Checklist and Verification sections there, leaving a concise overview pointer in SKILL.md.

Trim the 'Common Rationalizations' table or move it to the reference file to reduce the body's token footprint.

Remove or fix the second dangling reference to references/security-checklist.md so all signaled paths resolve to real files.

DimensionReasoningScore

Conciseness

The body runs ~450 lines; while much of it (STRIDE table, OWASP patterns, SSRF TOCTOU caveat, LLM mapping) earns its place, there is explanatory prose and the 'Common Rationalizations' table that could be tightened, so it is mostly efficient but not uniformly lean.

2 / 3

Actionability

It provides extensive executable TypeScript examples, specific library calls (bcrypt, helmet, zod, express-rate-limit), concrete commands (npm ci, git diff checks), and copy-paste-ready patterns throughout.

3 / 3

Workflow Clarity

Multi-step processes are explicitly sequenced — the numbered 'Threat Model First' process, the npm-audit decision tree, the three-tier boundary system, and a closing Verification checklist with explicit validation checkpoints.

3 / 3

Progressive Disclosure

The skill is a single monolithic file with the full checklist inlined, and it twice references references/security-checklist.md which does not exist in the bundle — content that should be separate is inline and the signaled reference is missing.

2 / 3

Total

10

/

12

Passed

Description

90%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A well-constructed description with explicit 'Use when' triggers, third-person voice, and strong, natural trigger-term coverage. Its only weakness is the abstract opening verb, which names the domain without enumerating concrete hardening actions.

Suggestions

Replace the abstract 'Hardens code against vulnerabilities' with a few concrete actions, e.g. 'Validates input, parameterizes queries, hashes passwords, and sets security headers to harden code against vulnerabilities.'

DimensionReasoningScore

Specificity

The opening 'Hardens code against vulnerabilities' names the security domain but stays abstract — it never lists concrete actions like validate input, hash passwords, or parameterize queries, so it falls short of the 'multiple specific concrete actions' anchor.

2 / 3

Completeness

It states what the skill does ('Hardens code against vulnerabilities') and supplies two explicit 'Use when...' clauses, clearly answering both what and when.

3 / 3

Trigger Term Quality

It surfaces a broad set of natural trigger terms a user would actually say — 'user input, authentication, data storage, external integrations, untrusted data, user sessions, third-party services' — giving strong coverage.

3 / 3

Distinctiveness Conflict Risk

Security hardening is a clear niche with distinct, specific triggers (auth, sessions, external integrations, untrusted data) that are unlikely to fire for an unrelated skill; voice is correctly third person.

3 / 3

Total

11

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

referenced_paths_exist

Referenced path issues: 2 missing

Warning

Total

15

/

16

Passed

Repository
addyosmani/agent-skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.