security-review
認証の追加、ユーザー入力の処理、シークレットの操作、APIエンドポイントの作成、支払い/機密機能の実装時にこのスキルを使用します。包括的なセキュリティチェックリストとパターンを提供します。
63
54%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./docs/ja-JP/skills/security-review/SKILL.mdQuality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description effectively communicates when to use the skill by listing specific trigger scenarios (authentication, user input, secrets, API endpoints, payment features) and what it provides (security checklists and patterns). However, it could be more specific about the concrete actions performed and include more natural trigger terms users might use. The broad security scope creates some overlap risk with other development-focused skills.
Suggestions
Add more natural trigger terms users would say, such as 'security review', 'vulnerability', 'XSS', 'SQL injection', 'CSRF', 'OWASP', and their English equivalents for bilingual discoverability.
Make the 'what' portion more specific by listing concrete actions like 'validates input sanitization, reviews authentication flows, checks for common vulnerabilities, enforces secret management best practices' instead of the vague 'comprehensive security checklist and patterns'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names several specific domains (authentication, user input handling, secrets, API endpoints, payment/sensitive features) but describes the output vaguely as 'comprehensive security checklist and patterns' without listing concrete actions like 'validate input against injection attacks' or 'implement OAuth2 flows'. | 2 / 3 |
Completeness | The description clearly answers both 'what' (provides comprehensive security checklists and patterns) and 'when' (when adding authentication, handling user input, working with secrets, creating API endpoints, implementing payment/sensitive features), with explicit trigger scenarios listed upfront. | 3 / 3 |
Trigger Term Quality | Includes relevant trigger terms like '認証' (authentication), 'ユーザー入力' (user input), 'シークレット' (secrets), 'APIエンドポイント' (API endpoints), '支払い' (payment), but misses common variations and English equivalents that users might naturally say such as 'security', 'auth', 'OWASP', 'vulnerability', 'XSS', 'SQL injection', 'CSRF'. | 2 / 3 |
Distinctiveness Conflict Risk | The security focus provides some distinctiveness, but terms like 'API endpoints' and 'authentication' could overlap with general API development or authentication-specific skills. The scope is fairly broad covering multiple security concerns which increases potential conflict with more specialized skills. | 2 / 3 |
Total | 9 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides highly actionable, executable security guidance with excellent FAIL/PASS code patterns and comprehensive checklists. However, it is far too verbose for a skill file—most of this content covers standard security knowledge Claude already has, and the monolithic structure (~400 lines) wastes context window. It would be significantly improved by condensing to a concise overview with the deploy checklist and offloading detailed domain-specific guidance to separate files.
Suggestions
Reduce the SKILL.md to a concise overview (~50-80 lines) with the deploy checklist and brief reminders of project-specific patterns (e.g., Supabase RLS, Solana wallet verification), removing standard security knowledge Claude already knows (SQL injection basics, XSS fundamentals, etc.).
Split detailed domain-specific sections (input validation, auth, XSS, CSRF, rate limiting, etc.) into separate referenced files like AUTH.md, INPUT_VALIDATION.md, etc., and link to them from the main skill.
Add a clear workflow sequence for conducting a security review—e.g., 'Start with secrets scan → validate inputs → check auth → review data exposure → run npm audit' with explicit validation/feedback steps between phases.
Remove explanations of concepts Claude inherently knows (e.g., what SQL injection is, why XSS is dangerous) and focus only on project-specific conventions and non-obvious patterns.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~400+ lines, covering 10 security domains with extensive code examples. Much of this is standard security knowledge Claude already possesses (SQL injection basics, XSS prevention, environment variables for secrets). The content reads like a security textbook rather than a concise skill reference. | 1 / 3 |
Actionability | Every section provides fully executable TypeScript/SQL/bash code examples with clear FAIL/PASS patterns. The code is copy-paste ready, uses real libraries (zod, DOMPurify, express-rate-limit), and includes concrete validation checklists for each domain. | 3 / 3 |
Workflow Clarity | Each section has clear checklists and FAIL/PASS patterns, and there's a comprehensive deploy-before checklist. However, there's no sequencing guidance for how to apply these checks in a review workflow—it's a flat list of independent concerns without a clear process for when/how to iterate through them or what to do when issues are found during review. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of text with all 10 security domains fully expanded inline. There are no bundle files to offload detailed sections to, and the content would greatly benefit from splitting each domain (e.g., SQL injection, XSS, CSRF) into separate referenced files while keeping SKILL.md as a concise overview with the deploy checklist. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- affaan-m/everything-claude-code
- Commit
841beea
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.