CtrlK
BlogDocsLog inGet started
Tessl Logo

security-review

Comprehensive security code review workflow for a target repository, producing a markdown report with findings and recommendations.

47

Quality

50%

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Risky

Do not use without reviewing

Fix and improve this skill with Tessl

tessl review fix ./sources/skills/security-review/SKILL.md
SKILL.md
Quality
Evals
Security

Quality

Content

50%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The skill is well-structured and lean, with clear report requirements and output handling, but every dimension sits at the mid anchor due to descriptive (non-executable) analysis guidance, missing validation checkpoints, and a broken bundled-file reference. Tightening filler, adding verification steps, and shipping the referenced guidelines file would lift all dimensions.

Suggestions

Provide the missing bundled file 'Security_Code_Reviewer_Guidelines.md' in a references/ directory (or remove the reference) so signaled navigation is not broken.

Add validation/verification checkpoints to the workflow, e.g. confirm rules loaded successfully and verify the report file was written before finishing.

Make the analysis step more actionable with concrete tooling or commands instead of 'Review the repository line by line', and remove filler lines like the mandatory-rules restatement.

DimensionReasoningScore

Conciseness

The body is generally lean and avoids explaining concepts Claude knows, but includes filler such as 'These are mandatory foundational rules that must be loaded for every review' and 'Review the repository line by line', matching 'mostly efficient but could be tightened' rather than the every-token-earns-its-place anchor 3.

2 / 3

Actionability

Concrete specifics exist for the report (severity taxonomy, section structure, output path and filename pattern, rule-loading URLs), but the central analysis step is descriptive ('Review the repository line by line', 'Focus on: injection flaws...') with no executable commands or concrete methodology, matching 'some concrete guidance but incomplete'.

2 / 3

Workflow Clarity

Steps are clearly numbered with an input-handling checkpoint, but there are no validation/verification or feedback-loop checkpoints for loading rules or producing the report, which the guidelines say caps workflow clarity at 2 for such operations.

2 / 3

Progressive Disclosure

The body is well organized into clear sections with one-level-deep, signaled references (a bundled guidelines file and external rule URLs), but the referenced bundled file 'Security_Code_Reviewer_Guidelines.md' does not exist in any references/scripts/assets directory, leaving navigation partly broken and keeping it at anchor 2 rather than 3.

2 / 3

Total

8

/

12

Passed

Description

50%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description clearly states what the skill produces but lacks an explicit trigger ('Use when...') and keyword variations, leaving all dimensions at the mid anchor. Adding a trigger clause and a few natural synonyms would lift completeness, trigger_term_quality, and distinctiveness.

Suggestions

Add an explicit 'Use when...' trigger clause, e.g. 'Use when the user asks for a security audit, vulnerability review, or code security assessment of a repository.'

Broaden natural keywords with common variations such as 'security audit', 'vulnerability scan', and 'code review' to improve trigger coverage and distinctiveness.

List a couple more concrete review actions (e.g. 'scans for injection, auth flaws, and hardcoded secrets') to raise specificity toward anchor 3.

DimensionReasoningScore

Specificity

Names the domain ('security code review workflow') and concrete deliverables ('markdown report with findings and recommendations'), but does not enumerate multiple distinct review actions, matching anchor 2 rather than the comprehensive list of anchor 3.

2 / 3

Completeness

Clearly answers 'what' the skill does but provides no 'Use when...' clause or equivalent explicit trigger guidance, which the guidelines state caps completeness at 2; it is not score 1 because the 'what' is clearly present.

2 / 3

Trigger Term Quality

'security code review' is a natural keyword a user would say, but coverage is thin with no common variations like 'audit', 'vulnerability scan', or 'code audit', matching 'some relevant keywords but missing common variations' at anchor 2.

2 / 3

Distinctiveness Conflict Risk

The 'security code review' niche is reasonably specific, but with only a single trigger term and no explicit when-guidance it could overlap with general code-review or audit skills, matching 'somewhat specific but could still overlap' rather than the distinct-niche anchor 3.

2 / 3

Total

8

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

metadata_version

'metadata.version' is missing

Warning

Total

15

/

16

Passed

Repository
cosai-oasis/project-codeguard
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.