CtrlK
BlogDocsLog inGet started
Tessl Logo

codeguard

A CodeGuard security skill that helps AI coding agents write secure code and prevent common vulnerabilities. Use this skill when writing, reviewing, or modifying code to ensure secure-by-default practices are followed.

52

Quality

58%

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

Fix and improve this skill with Tessl

tessl review fix ./skills/codeguard/SKILL.md
SKILL.md
Quality
Evals
Security

Quality

Content

50%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The skill is well-structured as an overview that routes to per-context rule files, but it ships without the referenced rule bundle, leaving its concrete guidance unresolvable. Inline lookup tables and generic security advice also inflate the token budget without adding novel instruction.

Suggestions

Provide the referenced rules/ directory (and any bundle files) so the rule-file pointers and tag/language tables resolve to real content; this is the single biggest gap.

Move the dense language→rules and tag→rules lookup tables into a dedicated reference file and keep SKILL.md as a concise overview with a clearly signaled link.

Add an explicit feedback loop to the Security Review step (e.g. 'If a check fails, fix the code and re-run the review until all rules pass') and at least one concrete inline code pattern showing a secure-by-default fix.

DimensionReasoningScore

Conciseness

The body is organized, but the inline tag→rules and language→rules tables are token-heavy and the 'Proactive Security' bullets restate basic concepts (parameterized queries, input validation, least privilege) Claude already knows.

2 / 3

Actionability

It names specific rule files and security tags as concrete pointers, but provides no executable code or concrete security patterns inline; the actual guidance is delegated to rule files rather than instructed directly.

2 / 3

Workflow Clarity

A sequenced check→generate→review workflow with a review checkpoint is present, but there is no explicit fix-and-retry feedback loop, and the steps reference rule files that do not exist.

2 / 3

Progressive Disclosure

The body is structured as an overview pointing to a separate rules/ directory, but the referenced rule files and the bundle directories (references/, scripts/, assets/) do not exist, and the large lookup tables are inlined rather than split into reference files.

2 / 3

Total

8

/

12

Passed

Description

67%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description cleanly covers both what the skill does and when to use it, with a clear security niche. Its main weakness is a generic trigger condition and abstract capability language that limits specificity and distinctiveness.

Suggestions

Replace abstract capabilities with concrete actions, e.g. 'reviews code for hardcoded secrets, validates cryptographic algorithm choices, and checks input-handling against secure-by-default rules'.

Add security-specific trigger terms users would naturally say, such as 'review this code for security', 'is this code vulnerable', or 'secure this authentication code'.

Narrow the 'when' clause so it triggers on security-relevant coding rather than all code writing/review, reducing overlap with general coding skills.

DimensionReasoningScore

Specificity

Names the security domain plus a couple of actions ('write secure code and prevent common vulnerabilities'), but the actions are abstract rather than a comprehensive list of concrete capabilities, so it falls short of the multi-action anchor.

2 / 3

Completeness

It explicitly answers both what ('helps AI coding agents write secure code and prevent common vulnerabilities') and when ('Use this skill when writing, reviewing, or modifying code'), matching the explicit-trigger anchor.

3 / 3

Trigger Term Quality

'writing, reviewing, or modifying code' are natural terms a user would say, but they are generic and omit security-specific phrasings users would actually use ('is this code secure', 'find vulnerabilities').

2 / 3

Distinctiveness Conflict Risk

The security focus is a distinct niche, but the trigger 'when writing, reviewing, or modifying code' is broad and would overlap with almost any general coding skill.

2 / 3

Total

9

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
cosai-oasis/project-codeguard
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.