CtrlK
BlogDocsLog inGet started
Tessl Logo

security

MUST be used whenever fixing security issues in a Flows app, or before shipping any feature that handles credentials, user input, or external data. This skill finds AND fixes security problems — it does not just report them. Do NOT skip this when the user asks for a security fix, security hardening, or vulnerability remediation — run every step in order. Triggers: security, security fix, security hardening, vulnerability, XSS, injection, credentials, secrets, auth, authentication, authorization, token, sensitive data, input validation, CORS, CSP, dependency audit.

84

1.08x
Quality

Does it follow best practices?

Impact

100%

1.08x

Average score across 3 eval scenarios

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

A highly actionable, well-structured security skill with concrete commands and executable fixes throughout. It is held back by the absence of explicit re-verification feedback loops, a monolithic single-file structure, and minor verbosity.

Suggestions

Add an explicit verification feedback loop after each find-and-fix step (e.g., re-run the step's grep and confirm zero remaining matches before proceeding) to lift workflow clarity.

Split the long inline content into one-level-deep reference files (e.g., a CDF-SDK migration reference and a credential-hygiene checklist) and link them from SKILL.md to improve progressive disclosure.

Trim redundant prose — especially the "Done" section that restates Step 9's report table and repeated "How to fix" intros — to tighten conciseness.

DimensionReasoningScore

Conciseness

The body is mostly efficient with concrete commands and code and avoids explaining concepts Claude already knows, but at ~240 lines it includes redundant prose such as the "Done" section restating Step 9's report and repeated "How to fix" framing that could be tightened.

2 / 3

Actionability

Each step supplies executable grep commands and complete, copy-paste-ready fixes (DOMPurify.sanitize wrapping, a Zod schema, a setTimeout refactor, vite security headers, and a CDF-call decision table).

3 / 3

Workflow Clarity

Nine steps are clearly sequenced, but there is no explicit re-verification feedback loop (e.g., re-run the grep to confirm zero remaining hits) for a batch find-and-fix with destructive code changes, which caps workflow clarity at 2 per the scoring notes.

2 / 3

Progressive Disclosure

The skill is well-organized into nine labeled sections, but it is a single monolithic ~240-line file with no bundle references and large inline reference-style content (the CDF migration table, fix recipes) that could be split out.

2 / 3

Total

9

/

12

Passed

Description

90%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A strong, third-person description that explicitly covers both capability and trigger conditions with a rich keyword list. Its only weakness is that the stated actions are high-level (find/fix) rather than a varied set of concrete operations.

DimensionReasoningScore

Specificity

"finds AND fixes security problems" names the security domain and the find/fix actions, but the actions are essentially two verbs applied across categories rather than a list of distinct concrete operations, matching the 'names domain and some actions, but not comprehensive' anchor.

2 / 3

Completeness

It clearly states what ("finds AND fixes security problems") and when ("MUST be used whenever fixing security issues in a Flows app, or before shipping any feature that handles credentials, user input, or external data" plus the explicit triggers list), satisfying both what and when.

3 / 3

Trigger Term Quality

The explicit "Triggers:" list (security, security fix, security hardening, vulnerability, XSS, injection, credentials, secrets, auth, authentication, authorization, token, sensitive data, input validation, CORS, CSP, dependency audit) gives strong coverage of natural terms a user would say.

3 / 3

Distinctiveness Conflict Risk

The Flows-app / Cognite-CDF security-fix niche with dedicated triggers is clearly distinguished from general skills; it is unlikely to fire for unrelated work despite minor overlap with broad auth/token terms.

3 / 3

Total

11

/

12

Passed

Validation

87%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation14 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

allowed_tools_field

'allowed-tools' contains unusual tool name(s)

Warning

metadata_version

'metadata.version' is missing

Warning

Total

14

/

16

Passed

Repository
cognitedata/builder-skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.