security-review
Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns.
Install with Tessl CLI
npx tessl i github:affaan-m/everything-claude-code --skill security-review83
Does it follow best practices?
If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:
npx tessl skill review --optimize ./path/to/skillValidation for skill structure
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description has strong completeness with an explicit 'Use this skill when...' clause and good trigger term coverage for security-related tasks. However, it lacks specificity about concrete actions (what exactly does the checklist cover? what patterns are provided?) and could potentially conflict with API or authentication-specific skills.
Suggestions
Add specific concrete actions like 'validates input sanitization, reviews authentication flows, checks for SQL injection vulnerabilities, audits secret storage'
Differentiate from potential API or auth skills by emphasizing the security audit/review aspect more explicitly
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (security) and lists several areas (authentication, user input, secrets, API endpoints, payment features), but lacks concrete actions - 'Provides comprehensive security checklist and patterns' is vague about what specific actions are performed. | 2 / 3 |
Completeness | Explicitly answers both what ('Provides comprehensive security checklist and patterns') and when ('Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features'). | 3 / 3 |
Trigger Term Quality | Good coverage of natural terms users would say: 'authentication', 'user input', 'secrets', 'API endpoints', 'payment', 'sensitive features' are all terms developers naturally use when discussing security concerns. | 3 / 3 |
Distinctiveness Conflict Risk | While security-focused, terms like 'API endpoints' and 'user input' could overlap with general API development or form handling skills. The security niche is clear but boundaries with adjacent skills could be sharper. | 2 / 3 |
Total | 10 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong, actionable security skill with excellent executable code examples and comprehensive verification checklists. The main weakness is its length - it tries to be both a quick reference and a comprehensive guide in one file, which could benefit from splitting detailed implementations into separate reference documents while keeping SKILL.md as a concise overview with links.
Suggestions
Split detailed code examples into separate reference files (e.g., AUTH_PATTERNS.md, INPUT_VALIDATION.md) and keep SKILL.md as a concise overview with the pre-deployment checklist and links to detailed guides
Remove explanatory text that Claude already knows (e.g., 'SQL Injection vulnerability' comments, basic security concept explanations) to reduce token usage
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is comprehensive but includes some redundant explanations Claude would know (e.g., explaining what SQL injection is). The extensive checklists and examples are valuable but could be tightened in places. | 2 / 3 |
Actionability | Excellent executable code examples throughout - TypeScript validation schemas, SQL policies, rate limiting implementations, and security tests are all copy-paste ready with real library imports and complete implementations. | 3 / 3 |
Workflow Clarity | Clear verification checklists after each section provide explicit validation steps. The pre-deployment checklist serves as a comprehensive feedback loop, and each security domain has its own verification steps to catch issues. | 3 / 3 |
Progressive Disclosure | Content is well-organized with clear sections, but it's a monolithic 400+ line file. The detailed code examples for each security domain could be split into separate reference files (e.g., AUTH.md, INPUT_VALIDATION.md) with SKILL.md serving as an overview. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.