backend-security-coder
Expert in secure backend coding practices specializing in input validation, authentication, and API security. Use PROACTIVELY for backend security implementations or security code reviews.
50
Quality
43%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./docs/v19.7/configuration/agent/skills_external/antigravity-awesome-skills-main/skills/backend-security-coder/SKILL.mdQuality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description has good structure with explicit 'Use when' guidance, which is a strength. However, it relies on category names (input validation, authentication) rather than concrete actions, and the trigger terms could be expanded to include more natural user language variations. The security domain is clear but could conflict with other security-adjacent skills.
Suggestions
Replace category names with specific actions: 'Implements input sanitization, JWT/OAuth authentication flows, rate limiting, and CORS configuration' instead of listing general areas.
Add natural trigger term variations users would say: 'auth', 'login', 'SQL injection', 'XSS prevention', 'OWASP', 'secure endpoints', 'API keys'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (backend security) and lists some areas (input validation, authentication, API security), but these are categories rather than concrete actions like 'validates user input against injection attacks' or 'implements JWT token authentication'. | 2 / 3 |
Completeness | Clearly answers both what ('secure backend coding practices specializing in input validation, authentication, and API security') and when ('Use PROACTIVELY for backend security implementations or security code reviews') with explicit trigger guidance. | 3 / 3 |
Trigger Term Quality | Includes relevant terms like 'backend security', 'input validation', 'authentication', 'API security', and 'security code reviews', but missing common variations users might say like 'auth', 'login security', 'SQL injection', 'XSS', 'OWASP', or 'secure coding'. | 2 / 3 |
Distinctiveness Conflict Risk | The 'backend security' focus provides some distinction, but 'security code reviews' could overlap with general code review skills, and 'authentication' could conflict with identity/auth-specific skills. The scope is moderately specific but not uniquely carved out. | 2 / 3 |
Total | 9 / 12 Passed |
Implementation
20%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads like a comprehensive security knowledge dump rather than actionable guidance for Claude. It extensively lists security concepts and capabilities that Claude already understands, while providing zero executable code examples or concrete implementation patterns. The content would benefit from dramatic reduction and replacement of abstract descriptions with specific, copy-paste-ready code snippets.
Suggestions
Replace the extensive capability lists with 3-5 concrete, executable code examples for the most common security tasks (e.g., parameterized query, JWT validation, input sanitization function)
Remove the 'Knowledge Base' and 'Behavioral Traits' sections entirely - these describe what Claude already knows
Add validation checkpoints to the 'Response Approach' workflow (e.g., 'Verify input validation with test cases before proceeding')
Move detailed capability lists to separate reference files and keep SKILL.md as a concise quick-start guide with links to those resources
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose with extensive lists of concepts Claude already knows (OWASP Top 10, JWT, OAuth, bcrypt, etc.). The 'Capabilities' section reads like a textbook table of contents rather than actionable guidance, and 'Behavioral Traits' and 'Knowledge Base' sections describe what Claude should already understand. | 1 / 3 |
Actionability | No executable code examples, no specific commands, no concrete implementations. Everything is abstract description ('Implement secure user authentication', 'Configure CSRF protection') without showing HOW to do it. The 'Example Interactions' are prompts, not solutions. | 1 / 3 |
Workflow Clarity | The 'Response Approach' section provides a numbered sequence of steps, but lacks validation checkpoints, error recovery paths, or concrete verification steps. For security-critical operations, missing validation feedback loops is a significant gap. | 2 / 3 |
Progressive Disclosure | References `resources/implementation-playbook.md` for detailed examples, which is good progressive disclosure. However, the main content is a monolithic wall of bullet points that could be better organized into separate reference files (e.g., API security, database security, authentication). | 2 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
metadata_version | 'metadata.version' is missing | Warning |
Total | 10 / 11 Passed | |
- Repository
- duclm1x1/Dive-Ai
- Commit
20ba150
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.