security-review
認証の追加、ユーザー入力の処理、シークレットの操作、APIエンドポイントの作成、支払い/機密機能の実装時にこのスキルを使用します。包括的なセキュリティチェックリストとパターンを提供します。
63
54%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./docs/ja-JP/skills/security-review/SKILL.mdQuality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description effectively communicates when to use the skill with explicit trigger conditions, which is its strongest aspect. However, it could be more specific about the concrete actions it performs beyond 'providing checklists and patterns,' and could benefit from additional natural trigger terms covering common security vocabulary users would actually use.
Suggestions
Add more specific concrete actions such as 'input validation patterns, CSRF protection, SQL injection prevention, secure secret storage configuration' instead of the vague 'comprehensive security checklist and patterns'.
Include additional natural trigger terms users might say, such as 'security review', 'vulnerability', 'XSS', 'SQL injection', 'OWASP', 'secure coding' to improve keyword coverage.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names several specific domains (authentication, user input handling, secrets, API endpoints, payment/sensitive features) but describes the output vaguely as 'comprehensive security checklist and patterns' without listing concrete actions like 'validate input against injection attacks' or 'implement OAuth2 flows'. | 2 / 3 |
Completeness | The description clearly answers both 'what' (provides comprehensive security checklists and patterns) and 'when' (explicitly states trigger conditions: adding authentication, handling user input, working with secrets, creating API endpoints, implementing payment/sensitive features). | 3 / 3 |
Trigger Term Quality | Includes relevant trigger terms like '認証' (authentication), 'ユーザー入力' (user input), 'シークレット' (secrets), 'APIエンドポイント' (API endpoints), '支払い' (payment), but misses common variations and English equivalents that users might naturally say such as 'security', 'vulnerability', 'OWASP', 'XSS', 'SQL injection', 'CSRF'. | 2 / 3 |
Distinctiveness Conflict Risk | The security focus provides some distinctiveness, but terms like 'API endpoints' and 'authentication' could overlap with general API development or authentication-specific skills. The scope is fairly broad covering multiple security concerns which increases potential conflict with more specialized skills. | 2 / 3 |
Total | 9 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides highly actionable, executable security patterns with clear FAIL/PASS examples, which is its main strength. However, it is excessively verbose for a skill file—most of this content covers well-known security concepts that Claude already understands, and the monolithic structure with 10 fully-expanded sections makes it a poor use of context window. It would benefit greatly from being restructured as a concise overview with references to detailed sub-files.
Suggestions
Restructure as a concise overview (under 80 lines) with the deploy checklist and brief pattern summaries, moving detailed code examples for each category into separate referenced files (e.g., AUTH_SECURITY.md, INPUT_VALIDATION.md, etc.)
Remove explanations of concepts Claude already knows (SQL injection basics, what XSS is, why security matters) and focus only on project-specific patterns, library choices, and non-obvious configurations
Add a sequenced review workflow (e.g., 'Step 1: Check secrets → Step 2: Audit inputs → Step 3: Verify auth → Step 4: Run npm audit → Step 5: Review findings and fix') with explicit validation/feedback loops
Trim the FAIL examples to single-line comments rather than full code blocks—Claude understands anti-patterns without verbose illustration
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~400+ lines, covering 10 security categories with full code examples for concepts Claude already knows well (SQL injection, XSS, input validation, etc.). Most of this is standard security knowledge that doesn't need to be spelled out in such detail. The closing 'Security is not optional' reminder is patronizing filler. | 1 / 3 |
Actionability | Every section provides concrete, executable TypeScript/SQL/bash code examples with clear FAIL/PASS patterns. The code is copy-paste ready with real libraries (zod, DOMPurify, express-rate-limit) and specific configurations. | 3 / 3 |
Workflow Clarity | Each section has verification checklists and the deploy checklist provides a clear final gate, but there's no sequenced workflow for how to actually conduct a security review (e.g., which checks to run first, how to iterate on findings). The checklists are static rather than forming a feedback loop. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of text with all 10 security categories fully expanded inline. Content like blockchain security, CSRF details, and rate limiting examples should be in separate referenced files. The external resources at the bottom are links, not structured references to companion skill files. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- affaan-m/everything-claude-code
- Commit
5df943e
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.