security-review
認証の追加、ユーザー入力の処理、シークレットの操作、APIエンドポイントの作成、支払い/機密機能の実装時にこのスキルを使用します。包括的なセキュリティチェックリストとパターンを提供します。
50
54%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./docs/ja-JP/skills/security-review/SKILL.mdQuality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description effectively communicates when to use the skill with explicit trigger scenarios, which is its strongest aspect. However, it could be more specific about the concrete actions it performs beyond 'providing checklists and patterns,' and the trigger terms could cover more natural variations users might use when seeking security guidance. The Japanese language is fine but may limit discoverability for non-Japanese users.
Suggestions
Add more specific concrete actions like 'input sanitization validation, CSRF protection setup, secret rotation guidance, OAuth flow implementation' instead of the vague 'comprehensive security checklists and patterns'.
Expand trigger terms to include common security-related keywords users might naturally say, such as 'vulnerability', 'XSS', 'SQL injection', 'OWASP', 'authorization', 'login', 'password hashing'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names several specific domains (authentication, user input handling, secrets, API endpoints, payment/sensitive features) but describes the output vaguely as 'provides comprehensive security checklists and patterns' without listing concrete actions like 'validates input sanitization', 'generates CSRF tokens', etc. | 2 / 3 |
Completeness | The description explicitly answers both 'what' (provides comprehensive security checklists and patterns) and 'when' (use when adding authentication, handling user input, working with secrets, creating API endpoints, implementing payment/sensitive features), with clear trigger guidance at the start. | 3 / 3 |
Trigger Term Quality | Includes relevant trigger terms like '認証' (authentication), 'ユーザー入力' (user input), 'シークレット' (secrets), 'APIエンドポイント' (API endpoints), '支払い' (payment), but misses common variations users might say such as 'login', 'password', 'SQL injection', 'XSS', 'OWASP', 'security vulnerability', or 'authorization'. | 2 / 3 |
Distinctiveness Conflict Risk | The security focus is fairly distinct, but terms like 'API endpoints' and 'user input handling' could overlap with general web development or API design skills. The scope is broad enough that it might conflict with more specialized authentication or payment processing skills. | 2 / 3 |
Total | 9 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides highly actionable, executable security guidance with clear FAIL/PASS patterns and comprehensive checklists. However, it is severely over-long and monolithic—most of the content covers standard security knowledge Claude already knows, and the lack of progressive disclosure means the entire ~400-line document must be loaded into context even when only one security domain is relevant. The workflow for conducting an actual security review is implicit rather than explicitly sequenced.
Suggestions
Split each security domain (SQL injection, XSS, CSRF, etc.) into separate referenced files and keep SKILL.md as a concise overview with the deploy checklist and links to each domain file.
Remove explanations of well-known concepts (e.g., what SQL injection is, why XSS is dangerous) and retain only the specific patterns, code examples, and checklists.
Add an explicit security review workflow at the top: e.g., 1) Identify which domains apply → 2) Run checklists → 3) Fix findings → 4) Re-verify → 5) Sign off.
Trim redundant FAIL/PASS examples where the anti-pattern is obvious to Claude (e.g., hardcoded passwords, console.log of sensitive data) to just the PASS pattern.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~400+ lines, covering 10 security domains with extensive code examples. Much of this is standard security knowledge Claude already possesses (SQL injection basics, XSS prevention, CSRF tokens). The content reads like a security textbook rather than a concise skill reference. | 1 / 3 |
Actionability | Every section provides fully executable TypeScript/SQL/bash code examples with clear FAIL/PASS patterns. The code is copy-paste ready, uses real libraries (zod, DOMPurify, express-rate-limit), and includes concrete validation checklists for each domain. | 3 / 3 |
Workflow Clarity | Each section has clear validation checklists and the deploy checklist provides a comprehensive pre-deployment sequence. However, there's no explicit workflow ordering between sections, no feedback loops for when security issues are found during review, and no guidance on prioritization or how to sequence a security review process. | 2 / 3 |
Progressive Disclosure | The entire skill is a monolithic wall of text with all 10 security domains fully inline. There are no bundle files to offload detailed sections (e.g., blockchain security, XSS prevention could each be separate files). The external resource links at the bottom are generic references, not structured skill sub-files. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- affaan-m/everything-claude-code
- Commit
928076c
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.