security-review
Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns.
55
62%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./.claude/skills/security-review/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description has strong trigger term coverage and good completeness with an explicit 'Use when' clause covering multiple scenarios. However, the actual capability description ('Provides comprehensive security checklist and patterns') is vague and doesn't convey specific concrete actions. The broad scope also creates moderate conflict risk with other development-related skills.
Suggestions
Replace 'Provides comprehensive security checklist and patterns' with specific actions like 'Reviews code for vulnerabilities, recommends input sanitization, generates secure authentication flows, and audits secret management practices'.
Narrow the scope or add qualifiers to reduce overlap with general development skills — e.g., specify this is about security review/hardening rather than building these features from scratch.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (security) and lists several areas (authentication, secrets, API endpoints, payment features), but the actual actions are vague — 'Provides comprehensive security checklist and patterns' doesn't describe concrete actions like 'validates input against injection attacks' or 'encrypts secrets at rest'. | 2 / 3 |
Completeness | Explicitly answers both 'when' ('Use this skill when adding authentication, handling user input, working with secrets...') and 'what' ('Provides comprehensive security checklist and patterns'). The 'Use when' clause is present and detailed with multiple trigger scenarios. | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms users would actually say: 'authentication', 'user input', 'secrets', 'API endpoints', 'payment', 'sensitive features'. These cover a good range of common security-related queries. | 3 / 3 |
Distinctiveness Conflict Risk | While the security focus is somewhat distinct, terms like 'handling user input', 'creating API endpoints', and 'authentication' could easily overlap with general web development, API design, or authentication-specific skills. The scope is broad enough to risk false triggers. | 2 / 3 |
Total | 10 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is comprehensive and highly actionable with excellent executable code examples covering a wide range of security concerns. However, it is far too verbose for a skill file — it reads like a security textbook chapter rather than a concise reference for Claude, who already knows these concepts. The lack of progressive disclosure (no bundle files, everything inline) makes it a token-expensive monolith that would benefit greatly from restructuring into a brief overview with linked detail files.
Suggestions
Reduce the SKILL.md to a concise checklist (~50-80 lines) with the key patterns specific to your stack, and move detailed code examples into separate files like AUTH.md, INPUT_VALIDATION.md, XSS.md, etc.
Remove explanations of basic security concepts Claude already knows (what SQL injection is, why not to log passwords) and focus only on project-specific patterns, library choices, and non-obvious conventions.
Add an explicit workflow for security review: e.g., 'Before committing: 1. Run npm audit 2. Check against checklist 3. If issues found → fix → re-check → only then proceed.'
Remove or relocate the generic external resource links (OWASP, PortSwigger) — Claude knows these exist and they consume tokens without adding project-specific value.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | At ~400+ lines, this skill is extremely verbose. It explains well-known security concepts (XSS, CSRF, SQL injection, rate limiting) that Claude already understands deeply. Much of this is textbook security knowledge that doesn't need to be spelled out — e.g., explaining what SQL injection is, showing basic parameterized queries, or explaining why you shouldn't log passwords. The content could be reduced to a concise checklist with key patterns specific to the project's stack. | 1 / 3 |
Actionability | The skill provides fully executable TypeScript/SQL code examples for every security concern, with concrete do/don't patterns, specific library imports (zod, DOMPurify, express-rate-limit), and copy-paste ready implementations. The verification checklists after each section add further concrete guidance. | 3 / 3 |
Workflow Clarity | The skill is organized as a checklist of independent security concerns rather than a sequenced workflow, which is appropriate for a review skill. However, it lacks explicit validation/feedback loops — there's no clear process for 'run security audit → find issues → fix → re-verify.' The pre-deployment checklist is helpful but doesn't describe what to do when checks fail or how to prioritize findings. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of content with no bundle files to offload detail into. All 10 security domains are fully expanded inline. The skill would benefit enormously from splitting each domain (input validation, auth, XSS, etc.) into separate reference files and keeping SKILL.md as a concise overview with links. The external resource links at the bottom are generic web references, not project-specific supporting files. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- devrev/meerkat
- Commit
b09913f
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.