review-security
Security-focused code review instructions for the expert agent
69
Does it follow best practices?
If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:
npx tessl skill review --optimize ./path/to/skillValidation for skill structure
Discovery
22%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is too vague and incomplete to effectively guide skill selection. It lacks concrete actions, explicit trigger conditions, and sufficient keywords for Claude to reliably choose this skill over others. The phrase 'for the expert agent' is internal jargon that doesn't help with skill selection.
Suggestions
Add a 'Use when...' clause with explicit triggers like 'Use when reviewing code for security vulnerabilities, performing security audits, or when the user mentions OWASP, CVE, injection attacks, or authentication flaws.'
List specific concrete actions such as 'Identifies SQL injection, XSS vulnerabilities, authentication weaknesses, and insecure data handling. Provides remediation recommendations with severity ratings.'
Include natural trigger terms users would say: 'security scan', 'vulnerability check', 'secure code', 'penetration test', 'security audit', 'SAST'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description uses vague language ('security-focused code review instructions') without listing any concrete actions. It doesn't specify what security aspects are reviewed, what vulnerabilities are detected, or what outputs are produced. | 1 / 3 |
Completeness | The description weakly addresses 'what' (security code review) but completely lacks any 'when' guidance. There is no 'Use when...' clause or explicit trigger guidance for Claude to know when to select this skill. | 1 / 3 |
Trigger Term Quality | Contains some relevant keywords ('security', 'code review') that users might naturally say, but misses common variations like 'vulnerability', 'security audit', 'OWASP', 'CVE', 'penetration testing', or specific vulnerability types. | 2 / 3 |
Distinctiveness Conflict Risk | While 'security-focused' provides some distinction from general code review skills, the description is vague enough that it could overlap with general code review skills, static analysis tools, or other security-related skills. | 2 / 3 |
Total | 6 / 12 Passed |
Implementation
87%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-crafted security review skill that is concise, actionable, and appropriately scoped. The output format is concrete and the scope boundaries are clear. The main weakness is the Research section, which could benefit from a more explicit workflow sequence to ensure systematic coverage of security concerns.
Suggestions
Add explicit workflow steps to the Research section (e.g., '1. Trace user input entry points, 2. Follow to data stores/outputs, 3. Check auth middleware on affected routes, 4. Verify findings before reporting')
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Every section is lean and purposeful. No explanation of what security reviews are or how Claude should think about security concepts it already knows. The scope list is dense but necessary for bounding the task. | 3 / 3 |
Actionability | Provides concrete scope categories, specific research techniques (grep, trace data flows, check middleware), explicit output format with JSON schema, and clear severity levels. Copy-paste ready output structure. | 3 / 3 |
Workflow Clarity | The Research section mentions tracing data flows and checking auth boundaries, but lacks explicit sequencing or validation checkpoints. For a security review task that could miss issues, a clearer workflow (e.g., 'first check X, then Y, verify by Z') would improve reliability. | 2 / 3 |
Progressive Disclosure | This is a focused, single-purpose skill under 50 lines. Content is well-organized into clear sections (Scope, Research, Rules, Output Format) with no need for external references. Structure is appropriate for the skill's complexity. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.