CtrlK
BlogDocsLog inGet started
Tessl Logo

security-review

Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns.

60

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Advisory

Suggest reviewing before use

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body is rich with executable, copy-paste-ready security patterns and per-section verification checklists, making it highly actionable. Its weaknesses are verbosity from duplicated checklists, lack of an explicit sequenced workflow with feedback loops, and a monolithic structure that would benefit from splitting niche topics into reference files.

Suggestions

Replace the repeated per-section 'Verification Steps' lists with a single consolidated checklist (or cross-reference it) to cut token cost.

Move niche or large sections (e.g. Blockchain/Solana security, Security Testing) into separate reference files and link to them from SKILL.md to improve progressive disclosure.

Add an explicit ordered pre-deployment workflow with validate-fix-retry checkpoints rather than only flat checkbox lists.

DimensionReasoningScore

Conciseness

The body is actionable and avoids explaining concepts Claude already knows, but the per-section 'Verification Steps' checkboxes largely duplicate the inline guidance and the final 'Pre-Deployment Security Checklist' repeats those checks, so it could be tightened.

2 / 3

Actionability

It provides fully executable, copy-paste-ready code across domains — zod validation schemas, parameterized queries, httpOnly cookie headers, DOMPurify sanitization, rate-limit config, Supabase RLS policies, and npm audit commands — matching the 'fully executable code/commands' anchor.

3 / 3

Workflow Clarity

Verification checkboxes exist per section and in a pre-deployment checklist, but the content is organized as a domain reference rather than a sequenced workflow, with no explicit validate-fix-retry feedback loops, fitting 'steps listed but validation gaps; checkpoints implicit'.

2 / 3

Progressive Disclosure

Sections are well-organized, but all 10 domains, security testing, and the niche Solana/blockchain section live inline in a single ~498-line monolithic file with no reference files split out, fitting 'content that should be separate is inline'.

2 / 3

Total

9

/

12

Passed

Description

77%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is well-formed with an explicit 'Use this skill when' trigger and a clear what-statement, plus several concrete security actions. It is slightly weakened by trigger terms that lean on broad task phrases and could overlap with general coding skills.

Suggestions

Add explicit security-vocabulary triggers users would say, e.g. 'security review', 'vulnerabilities', 'XSS', 'SQL injection', or 'secure this code'.

Tighten broad triggers like 'handling user input' and 'creating API endpoints' by scoping them to the security concern (e.g. 'securing user input' or 'hardening new API endpoints') to reduce overlap with general coding skills.

DimensionReasoningScore

Specificity

The description lists multiple concrete actions including 'adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features' plus 'Provides comprehensive security checklist and patterns.', matching the 'Lists multiple specific concrete actions' anchor.

3 / 3

Completeness

It explicitly answers both what ('Provides comprehensive security checklist and patterns') and when ('Use this skill when adding authentication...'), with an explicit 'Use this skill when' trigger clause, matching the highest anchor.

3 / 3

Trigger Term Quality

Natural task-oriented triggers like 'authentication', 'user input', 'secrets', 'API endpoints', and 'payment' are present, but it omits common security vocabulary a user would say ('vulnerability', 'XSS', 'SQL injection', 'make this secure'), fitting 'some relevant keywords but missing common variations'.

2 / 3

Distinctiveness Conflict Risk

The security framing ('secrets', 'sensitive features', 'security checklist') is distinct, but broad triggers like 'handling user input' and 'creating API endpoints' could overlap with general validation or API-coding skills, fitting 'somewhat specific but could still overlap'.

2 / 3

Total

10

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

metadata_version

'metadata.version' is missing

Warning

Total

15

/

16

Passed

Repository
affaan-m/ECC
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.