review-security
Security-focused code review instructions for the expert agent
63
53%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./dot_config/opencode/skill/review-security/SKILL.mdQuality
Discovery
7%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is extremely terse and vague, failing to enumerate specific capabilities, include natural trigger terms, or provide any 'Use when...' guidance. It reads more like an internal label than a functional description that Claude could use to select the right skill from a large pool. The only slight positive is the 'security-focused' qualifier, which provides minimal distinctiveness.
Suggestions
List specific concrete actions such as 'Identifies common vulnerabilities (SQL injection, XSS, CSRF), reviews authentication and authorization logic, checks for insecure dependencies.'
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks for a security audit, vulnerability scan, secure code review, or mentions OWASP, CVE, or security best practices.'
Include natural trigger terms users would say: 'security audit', 'vulnerability', 'secure coding', 'OWASP', 'penetration test', 'code hardening', '.env secrets'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description is vague — 'security-focused code review instructions' does not list any concrete actions like identifying vulnerabilities, checking for injection flaws, reviewing authentication logic, etc. 'Instructions for the expert agent' is abstract and non-actionable. | 1 / 3 |
Completeness | The description weakly addresses 'what' (security-focused code review) but provides no 'when' clause or explicit trigger guidance at all. Both dimensions are very weak. | 1 / 3 |
Trigger Term Quality | The only potentially useful trigger terms are 'security' and 'code review', but common user phrases like 'vulnerability', 'CVE', 'OWASP', 'audit', 'penetration test', 'secure coding' are entirely absent. 'Expert agent' is internal jargon, not a user-facing keyword. | 1 / 3 |
Distinctiveness Conflict Risk | The 'security-focused' qualifier provides some distinction from general code review skills, but the description is still broad enough to overlap with any security-related or code-review-related skill. | 2 / 3 |
Total | 5 / 12 Passed |
Implementation
100%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is an excellent security review skill that is concise, actionable, and well-structured. It provides clear investigation steps, a comprehensive but focused scope, and a precise output schema. The inclusion of escalation handling, prior review awareness, and explicit anti-patterns (don't invent issues, don't report style) demonstrates mature design.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Every section is lean and purposeful. No unnecessary explanations of what security reviews are or how tools work. The scope list is dense but each item earns its place as a concrete category to check. | 3 / 3 |
Actionability | Provides concrete steps (git blame, grep for patterns, trace inputs), specific output format with JSON schema, clear severity levels, and explicit examples of escalation scenarios. The exploration phase gives executable investigation steps. | 3 / 3 |
Workflow Clarity | Clear sequenced workflow: Phase 1 exploration with 6 numbered steps, then scope evaluation, then output. The requirement to output an exploration log before findings acts as a validation checkpoint. The rules section provides clear guardrails against false positives. | 3 / 3 |
Progressive Disclosure | For a focused single-purpose skill under 50 lines, the content is well-organized into logical sections (Phase 1, Scope, Escalations, Prior Reviews, Rules, Output) without needing external references. Navigation is clear and content is appropriately scoped. | 3 / 3 |
Total | 12 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- athal7/dotfiles
- Commit
4ed3a13
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.