security
OWASP security patterns, secrets management, security testing
51
40%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/security/SKILL.mdQuality
Discovery
22%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is essentially a comma-separated list of security topics with no concrete actions, no verbs, and no guidance on when to use the skill. It would be very difficult for Claude to confidently select this skill over others in a large skill library. The description needs substantial improvement in specificity and completeness.
Suggestions
Add concrete action verbs describing what the skill does, e.g., 'Identifies OWASP Top 10 vulnerabilities in code, detects hardcoded secrets, and generates security test cases.'
Add an explicit 'Use when...' clause with trigger scenarios, e.g., 'Use when the user asks about security vulnerabilities, secret leaks, credential management, OWASP compliance, or security audits.'
Include common natural-language variations users might say, such as 'vulnerability', 'API keys', 'credentials', 'hardcoded passwords', 'security audit', 'pen test'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description lists broad security topics ('OWASP security patterns', 'secrets management', 'security testing') but does not describe any concrete actions. There are no verbs indicating what the skill actually does. | 1 / 3 |
Completeness | The description weakly addresses 'what' (just topic labels, no actions) and completely omits 'when' — there is no 'Use when...' clause or any explicit trigger guidance. | 1 / 3 |
Trigger Term Quality | Terms like 'OWASP', 'secrets management', and 'security testing' are relevant keywords a user might mention, but common variations like 'vulnerability scanning', 'API keys', 'credentials', 'penetration testing', or 'security audit' are missing. | 2 / 3 |
Distinctiveness Conflict Risk | The mention of OWASP and secrets management provides some specificity within the security domain, but 'security testing' is broad enough to overlap with other security-related skills such as static analysis or CI/CD security tools. | 2 / 3 |
Total | 6 / 12 Passed |
Implementation
57%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is highly actionable with excellent, executable code examples across multiple languages and frameworks, covering a broad range of security concerns. However, it suffers from being a monolithic document (~400+ lines) that tries to cover everything inline without progressive disclosure, and it includes some explanations of concepts Claude already understands. The workflow sequencing could be improved with explicit validation checkpoints and error recovery steps.
Suggestions
Split the content into focused sub-documents (e.g., SECRETS.md, INPUT_VALIDATION.md, AUTH.md, CI_SECURITY.md) and keep SKILL.md as a concise overview with clear references to each.
Add an explicit sequenced workflow for 'securing a new project' with numbered steps, validation checkpoints, and what to do if checks fail — e.g., '1. Create .gitignore → 2. Run detect-secrets baseline → 3. Validate no secrets staged → 4. Set up CI workflow'.
Trim explanatory content Claude already knows (e.g., 'Never use string concatenation' preambles, basic XSS/SQLi concept explanations) and keep only the concrete patterns and anti-patterns.
Remove or condense the full .gitignore block and GitHub Actions YAML — these could live in referenced template files rather than inline.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is quite long (~400+ lines) and includes some content Claude already knows (e.g., basic SQL injection, XSS concepts, what bcrypt does). The .gitignore block and some boilerplate could be trimmed. However, the framework-specific prefix table and concrete code examples do earn their place. | 2 / 3 |
Actionability | Excellent actionability throughout — fully executable code examples in both TypeScript and Python, copy-paste ready config files (.pre-commit-config.yaml, GitHub Actions workflow, security-check.sh), specific library recommendations, and concrete commands. Nearly everything is directly usable. | 3 / 3 |
Workflow Clarity | The skill provides a comprehensive security checklist and pre-commit hooks, but lacks explicit sequenced workflows with validation checkpoints and feedback loops. For example, the 'Required Security Setup' section lists items but doesn't sequence them into a clear 'do this, then validate, then proceed' flow. The security-check.sh script has some validation but the overall process for securing a project isn't presented as a step-by-step workflow with error recovery. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of content — everything from .gitignore templates to JWT best practices to GitHub Actions workflows is inline in a single file. There are no references to separate files for detailed topics like auth patterns, CI/CD security configs, or OWASP details. The content would benefit greatly from splitting into focused sub-documents with a concise overview in the main skill. | 1 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (578 lines); consider splitting into references/ and linking | Warning |
Total | 10 / 11 Passed | |
- Repository
- alinaqi/claude-bootstrap
- Commit
24cfe58
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.