owasp-audit
Audit application source code against the OWASP Top 10 vulnerability categories. Use when the user mentions 'OWASP,' 'security audit,' 'code security review,' 'vulnerability audit,' 'find vulnerabilities,' 'secure code review,' 'security review,' or wants to check their codebase for common security weaknesses.
64
76%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/owasp-audit/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description with excellent trigger term coverage and a clear 'Use when' clause that makes it easy for Claude to select appropriately. The main weakness is that the 'what' portion could be more specific about the concrete actions performed (e.g., listing specific vulnerability categories checked or output formats). Overall, it is well above average and clearly distinguishable from other skills.
Suggestions
Expand the capability description to list specific concrete actions, e.g., 'Identifies injection flaws, broken authentication, sensitive data exposure, and other OWASP Top 10 categories in application source code.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | It names the domain (application source code security) and a specific framework (OWASP Top 10), but describes only one action ('audit') rather than listing multiple concrete actions like 'identify injection flaws, detect authentication issues, flag misconfigurations.' | 2 / 3 |
Completeness | Clearly answers both 'what' (audit application source code against OWASP Top 10 vulnerability categories) and 'when' (explicit 'Use when...' clause with multiple trigger scenarios). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms: 'OWASP,' 'security audit,' 'code security review,' 'vulnerability audit,' 'find vulnerabilities,' 'secure code review,' 'security review,' and 'common security weaknesses' — these are terms users would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | The OWASP Top 10 focus and security audit framing create a clear niche that is unlikely to conflict with general code review or other development skills. The trigger terms are specific to security auditing. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
62%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid, well-structured security audit skill that provides a systematic methodology and clear output format. Its main weaknesses are the lack of executable commands/code examples (grep patterns are listed but not as runnable commands) and the monolithic structure that could benefit from splitting the detailed checklist into a reference file. The workflow is clear and the report template is immediately usable.
Suggestions
Convert grep suggestions into actual executable commands (e.g., `grep -rn 'eval(' --include='*.js' .`) to improve actionability
Split the detailed A01-A10 checklist into a separate CHECKLIST.md reference file, keeping SKILL.md as a concise workflow overview with the report template
Add a concrete worked example showing one finding from code snippet through to the completed report entry, demonstrating the full audit flow
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is mostly efficient and well-structured, but some categories (A04, A08, A09) are thin enough to feel like padding, and the checklist items are somewhat verbose with explanations Claude would already know (e.g., what IDOR is, what CSRF is). The grep suggestions add value but some descriptions could be tighter. | 2 / 3 |
Actionability | Provides concrete grep patterns and a clear report template, which is good. However, it lacks executable code examples — no actual grep commands with proper syntax, no script snippets for running audits, and the guidance remains at the checklist/description level rather than providing copy-paste-ready commands or code analysis patterns. | 2 / 3 |
Workflow Clarity | The workflow is clearly sequenced: scope the audit → work through checklist systematically → document findings in specified format → produce executive summary with prioritized remediation. The instruction to 'grep for known patterns, then read flagged files for deeper analysis' provides a clear two-phase approach. The severity classification and prioritized remediation plan serve as validation/output checkpoints. | 3 / 3 |
Progressive Disclosure | The content is well-organized with clear headers and logical sections, but it's a monolithic document with no references to supporting files. The detailed checklist for all 10 OWASP categories could be split into a separate reference file, keeping the SKILL.md as a concise overview with the workflow and report format. References to OWASP/CWE are listed but not linked. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
Total | 10 / 11 Passed | |
- Repository
- briiirussell/cybersecurity-skills
- Commit
2400590
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.