software-security
A software security skill that integrates with Project CodeGuard to help AI coding agents write secure code and prevent common vulnerabilities. Use this skill when writing, reviewing, or modifying code to ensure secure-by-default practices are followed.
Install with Tessl CLI
npx tessl i github:cosai-oasis/project-codeguard --skill software-security71
Does it follow best practices?
If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:
npx tessl skill review --optimize ./path/to/skillValidation for skill structure
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description has good structure with explicit 'Use when' guidance, but lacks specificity in the security capabilities it provides. The trigger terms are somewhat generic and could benefit from including specific vulnerability types or security concepts that users would naturally mention.
Suggestions
Add specific security actions like 'detect SQL injection, XSS vulnerabilities, insecure authentication patterns, and hardcoded secrets'
Include more natural trigger terms users would say: 'security review', 'vulnerability scan', 'OWASP', 'secure coding', 'security audit'
Narrow the 'when' clause to be more distinctive, e.g., 'Use when security concerns are mentioned, when reviewing code for vulnerabilities, or when implementing authentication/authorization'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (software security) and mentions some actions ('write secure code', 'prevent common vulnerabilities'), but lacks specific concrete actions like 'sanitize inputs', 'validate authentication', or 'encrypt sensitive data'. | 2 / 3 |
Completeness | Clearly answers both what ('integrates with Project CodeGuard to help write secure code and prevent vulnerabilities') and when ('Use this skill when writing, reviewing, or modifying code') with explicit trigger guidance. | 3 / 3 |
Trigger Term Quality | Includes some relevant terms ('secure code', 'vulnerabilities', 'writing', 'reviewing', 'modifying code') but misses common variations users might say like 'security audit', 'XSS', 'SQL injection', 'OWASP', 'penetration testing', or 'security scan'. | 2 / 3 |
Distinctiveness Conflict Risk | The security focus provides some distinction, but 'writing, reviewing, or modifying code' is very broad and could overlap with general code review skills, linting skills, or other code quality tools. | 2 / 3 |
Total | 9 / 12 Passed |
Implementation
62%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a well-structured security workflow with clear phases and checkpoints, making it easy to follow. However, it suffers from including a large reference table inline that bloats the content, and lacks concrete code examples showing secure implementations. The guidance is procedurally clear but would benefit from executable examples demonstrating the patterns it describes.
Suggestions
Move the language-to-rules mapping table to a separate reference file (e.g., LANGUAGE_RULES.md) and link to it from the main skill
Add 2-3 concrete code examples showing secure vs insecure patterns (e.g., parameterized query vs string concatenation, secure credential loading)
Remove introductory sentences that explain what the skill is - start directly with 'When to Use' or the workflow
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill contains some unnecessary explanation (e.g., 'This skill provides comprehensive security guidance...') and the massive language-to-rules mapping table could be referenced externally rather than inline. However, the workflow sections are reasonably efficient. | 2 / 3 |
Actionability | The skill provides a clear workflow and references specific rule files, but lacks concrete code examples showing secure vs insecure patterns. Instructions like 'Apply secure-by-default patterns' are vague without executable examples. | 2 / 3 |
Workflow Clarity | The three-phase workflow (Initial Security Check → Code Generation → Security Review) is clearly sequenced with explicit checkpoints. Each phase has concrete verification steps and the checklist format makes validation clear. | 3 / 3 |
Progressive Disclosure | References to external rule files in /rules directory are appropriate, but the massive inline table should be in a separate reference file. The skill attempts progressive disclosure but includes too much detail inline that belongs elsewhere. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.