security-review
Skill do Security Reviewer para auditoria de segurança e boas práticas. Use quando precisar revisar código para vulnerabilidades, validar implementação de auth, checar OWASP Top 10, revisar CORS/CSRF/XSS, garantir DRY e clean code, ou qualquer review de segurança. Trigger em: "segurança", "security review", "vulnerabilidade", "OWASP", "XSS", "CSRF", "CORS", "injection", "HttpOnly", "cookie seguro", "DRY", "code review", "boas práticas", "audit", "pentest", "sanitização".
85
82%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly defines its security review niche with specific capabilities, explicit trigger guidance, and comprehensive bilingual trigger terms. It follows the recommended pattern of stating what the skill does followed by when to use it, and includes a rich set of natural keywords. The only minor note is the inclusion of 'DRY' and 'clean code' which could slightly overlap with general code quality skills, but the overall security focus keeps it well-differentiated.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: revisar código para vulnerabilidades, validar implementação de auth, checar OWASP Top 10, revisar CORS/CSRF/XSS, garantir DRY e clean code. These are clearly defined, actionable capabilities. | 3 / 3 |
Completeness | Clearly answers both 'what' (security auditing, vulnerability review, auth validation, OWASP checks, CORS/CSRF/XSS review, DRY/clean code) and 'when' with an explicit 'Use quando...' clause and a dedicated 'Trigger em:' list providing explicit trigger guidance. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms in both Portuguese and English: 'segurança', 'security review', 'vulnerabilidade', 'OWASP', 'XSS', 'CSRF', 'CORS', 'injection', 'HttpOnly', 'cookie seguro', 'DRY', 'code review', 'boas práticas', 'audit', 'pentest', 'sanitização'. These are terms users would naturally use when requesting security reviews. | 3 / 3 |
Distinctiveness Conflict Risk | Occupies a clear niche focused on security auditing and vulnerability review. The specific security-related triggers (OWASP, XSS, CSRF, injection, pentest, sanitização) are highly distinctive and unlikely to conflict with general code review or other development skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a comprehensive security review skill with strong actionability — concrete code examples, specific thresholds, and a ready-to-use report template. Its main weaknesses are excessive inline content that could be better distributed across referenced files, and a lack of explicit step-by-step workflow for conducting the review itself. Some sections (DRY, SOLID, Clean Code basics) explain concepts Claude already knows well.
Suggestions
Add an explicit numbered workflow for conducting a security review (e.g., Step 1: Review auth flow, Step 2: Run npm audit, Step 3: Check headers, Step 4: Validate findings → if critical, block deploy) with validation checkpoints between steps.
Move the detailed OWASP checklists and code examples into a referenced file (e.g., docs/owasp-checklists.md) and keep SKILL.md as a concise overview with quick-reference summaries.
Remove or significantly trim the DRY/SOLID/Clean Code section — Claude already knows these principles. Keep only project-specific patterns (e.g., 'use useApiMutation hook, createStore factory') if those are custom to the codebase.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is fairly comprehensive but includes some content Claude already knows (SOLID principles, DRY definitions, clean code basics). The OWASP checklists are useful reference material but the DRY/SOLID/Clean Code section largely restates well-known concepts. The anti-rationalization table and some governance boilerplate add tokens without proportional value. | 2 / 3 |
Actionability | The skill provides fully executable code examples for security headers, CORS configuration, CSRF protection, and XSS prevention. Checklists are concrete with specific thresholds (bcrypt cost >= 12, JWT 15 min max, rate limit 5 attempts/min). The report template is copy-paste ready with clear severity categories. | 3 / 3 |
Workflow Clarity | The handoff criteria are clear (zero critical findings, npm audit clean, etc.) and the dependency management section has a sequenced checklist. However, the overall review workflow itself lacks explicit sequencing — there's no clear 'Step 1: do X, Step 2: validate Y, Step 3: if fail then Z' flow for conducting the actual security review. The report template implies a process but doesn't define the review sequence with validation checkpoints. | 2 / 3 |
Progressive Disclosure | References to external files are present (docs/skill-guides/security-review.md, personas/security-auditor.md, various policies) and are one-level deep, which is good. However, the main file itself is quite long (~250 lines) with extensive inline checklists and code examples that could be split into referenced files, keeping SKILL.md as a leaner overview. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
Total | 10 / 11 Passed | |
- Repository
- felvieira/claude-skills-fv
- Commit
d87ad31
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.