security-review
Skill do Security Reviewer para auditoria de segurança e boas práticas. Use quando precisar revisar código para vulnerabilidades, validar implementação de auth, checar OWASP Top 10, revisar CORS/CSRF/XSS, garantir DRY e clean code, ou qualquer review de segurança. Trigger em: "segurança", "security review", "vulnerabilidade", "OWASP", "XSS", "CSRF", "CORS", "injection", "HttpOnly", "cookie seguro", "DRY", "code review", "boas práticas", "audit", "pentest", "sanitização".
79
75%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/06-security-review/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly defines its security review purpose, lists concrete actions, and provides explicit trigger guidance with comprehensive bilingual keywords. The explicit 'Use quando' and 'Trigger em' sections make it highly effective for skill selection. Minor note: the inclusion of 'DRY' and 'clean code' could slightly overlap with general code quality skills, but the overall security framing keeps it distinct.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: revisar código para vulnerabilidades, validar implementação de auth, checar OWASP Top 10, revisar CORS/CSRF/XSS, garantir DRY e clean code. These are concrete, actionable capabilities. | 3 / 3 |
Completeness | Clearly answers both 'what' (auditoria de segurança, revisar código para vulnerabilidades, validar auth, checar OWASP Top 10, etc.) and 'when' with an explicit 'Use quando' clause and a dedicated 'Trigger em' list with specific keywords. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms in both Portuguese and English: 'segurança', 'security review', 'vulnerabilidade', 'OWASP', 'XSS', 'CSRF', 'CORS', 'injection', 'HttpOnly', 'cookie seguro', 'DRY', 'code review', 'boas práticas', 'audit', 'pentest', 'sanitização'. These are terms users would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Clearly occupies a distinct niche of security auditing and review. The specific security-focused triggers (OWASP, XSS, CSRF, injection, pentest, sanitização) are unlikely to conflict with general code review or other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides highly actionable, concrete security guidance with executable code examples and specific thresholds, which is its strongest quality. However, it is severely bloated—most of the OWASP checklists, SOLID/DRY principles, and code examples should live in the referenced `docs/skill-guides/security-review.md` rather than inline, especially since Claude already knows these fundamentals. The workflow could benefit from an explicit review sequence with validation checkpoints rather than just listing responsibilities and handoff criteria.
Suggestions
Move the detailed OWASP Top 10 checklists, code examples (headers, CORS, CSRF, XSS), and DRY/SOLID/Clean Code checklists into `docs/skill-guides/security-review.md` and keep only a concise summary with links in the main skill file.
Remove explanations of concepts Claude already knows (what SOLID stands for, what DRY means, basic clean code principles) and focus only on project-specific conventions or non-obvious requirements.
Add an explicit step-by-step review workflow with validation checkpoints, e.g., '1. Scan dependencies → 2. Review auth flow → 3. Check headers → 4. Run OWASP checklist → 5. Generate report → 6. If critical findings: block and handoff to fixer'.
Trim the skill to under 100 lines by assuming Claude can look up OWASP details and focusing on project-specific security policies, thresholds, and the review/handoff process.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~300+ lines, with extensive checklists that Claude already knows (OWASP Top 10 basics, SOLID principles, clean code fundamentals, what DRY means). The DRY/SOLID/Clean Code section explains well-known concepts that don't need enumeration. Much of this is reference material that should be in a separate file, not inline. | 1 / 3 |
Actionability | The skill provides fully executable TypeScript code examples for security headers, CORS configuration, CSRF protection, and XSS prevention. The checklists are concrete with specific values (bcrypt cost >= 12, JWT 15 min max, etc.) and the report template is copy-paste ready. | 3 / 3 |
Workflow Clarity | The handoff criteria are clear (zero critical findings, npm audit clean, etc.) and the report template provides structure, but there's no explicit validation/feedback loop for the review process itself. The dependency management section has a good sequential checklist, but the overall review workflow lacks a clear step-by-step sequence with checkpoints for when to re-review or escalate. | 2 / 3 |
Progressive Disclosure | The skill references `docs/skill-guides/security-review.md` for detailed checklists and several policy files, which is good. However, the massive inline OWASP checklists, code examples, and DRY/SOLID content should be in those referenced files rather than inline, making this a monolithic document that undermines the reference structure it claims to use. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
Total | 10 / 11 Passed | |
- Repository
- felvieira/claude-skills-fv
- Commit
e9f6648
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.