security-review
Skill do Security Reviewer para auditoria de segurança e boas práticas. Use quando precisar revisar código para vulnerabilidades, validar implementação de auth, checar OWASP Top 10, revisar CORS/CSRF/XSS, garantir DRY e clean code, ou qualquer review de segurança. Trigger em: "segurança", "security review", "vulnerabilidade", "OWASP", "XSS", "CSRF", "CORS", "injection", "HttpOnly", "cookie seguro", "DRY", "code review", "boas práticas", "audit", "pentest", "sanitização".
85
Quality
82%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted skill description that excels across all dimensions. It provides specific security-related capabilities, includes comprehensive trigger terms in both Portuguese and English, explicitly states when to use it, and has a clear distinctive niche in security auditing that minimizes conflict with other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'revisar código para vulnerabilidades', 'validar implementação de auth', 'checar OWASP Top 10', 'revisar CORS/CSRF/XSS', 'garantir DRY e clean code'. These are concrete, actionable capabilities. | 3 / 3 |
Completeness | Clearly answers both what (security auditing, vulnerability review, auth validation, OWASP checks, clean code) AND when with explicit 'Use quando' clause and a dedicated 'Trigger em:' section listing specific activation terms. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms in both Portuguese and English: 'segurança', 'security review', 'vulnerabilidade', 'OWASP', 'XSS', 'CSRF', 'CORS', 'injection', 'HttpOnly', 'cookie seguro', 'DRY', 'code review', 'boas práticas', 'audit', 'pentest', 'sanitização'. These are terms users would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Clear security-focused niche with highly specific triggers like 'OWASP', 'XSS', 'CSRF', 'injection', 'pentest', 'sanitização'. Unlikely to conflict with general code review or other skills due to security-specific terminology. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid security review skill with excellent actionability through concrete code examples and comprehensive OWASP checklists. The main weaknesses are verbosity (explaining known concepts like DRY/SOLID, duplicate header configurations) and lack of explicit validation workflow for the review process itself. The content would benefit from splitting detailed checklists into referenced files while keeping the SKILL.md as a leaner overview.
Suggestions
Move detailed OWASP checklists and code examples to a separate reference file (e.g., security-checklists.md) and keep only a summary in SKILL.md
Remove explanations of DRY/SOLID principles - Claude knows these; keep only the project-specific checklist items
Add explicit validation steps to the review workflow (e.g., 'After checking auth flow → document finding → verify fix → re-check')
Consolidate the duplicate security headers examples (middleware vs next.config) into one canonical example with a note about framework variations
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is comprehensive but includes some redundancy (e.g., repeating security header configurations in two formats, explaining concepts like DRY/SOLID that Claude knows). The checklists are useful but could be more condensed. | 2 / 3 |
Actionability | Excellent actionability with executable TypeScript code examples for security headers, CORS, CSRF protection, and XSS prevention. Checklists are concrete with specific items to verify, and the report template is copy-paste ready. | 3 / 3 |
Workflow Clarity | The skill has clear handoff criteria and a structured report format, but lacks explicit validation checkpoints during the review process itself. The dependency management section has a good numbered workflow, but the main review process is more of a checklist than a sequenced workflow with feedback loops. | 2 / 3 |
Progressive Disclosure | References external files (GLOBAL.md, policies/, docs/skill-guides/security-review.md) appropriately, but the main content is quite long (~300 lines) with detailed checklists that could be split into separate reference files. The structure is good but content density is high. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
Total | 10 / 11 Passed | |
- Repository
- felvieira/claude-skills-fv
- Commit
524725e
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.