security-review
Skill do Security Reviewer para auditoria de segurança e boas práticas. Use quando precisar revisar código para vulnerabilidades, validar implementação de auth, checar OWASP Top 10, revisar CORS/CSRF/XSS, garantir DRY e clean code, ou qualquer review de segurança. Trigger em: "segurança", "security review", "vulnerabilidade", "OWASP", "XSS", "CSRF", "CORS", "injection", "HttpOnly", "cookie seguro", "DRY", "code review", "boas práticas", "audit", "pentest", "sanitização".
63
75%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/06-security-review/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly defines its security review purpose, lists concrete actions, provides explicit 'Use when' guidance, and includes a comprehensive list of bilingual trigger terms. The description is well-structured and would allow Claude to confidently select this skill when security-related tasks arise. Minor note: the inclusion of 'DRY' and 'clean code' slightly broadens scope beyond pure security, but these are reasonable additions for a security reviewer skill.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: revisar código para vulnerabilidades, validar implementação de auth, checar OWASP Top 10, revisar CORS/CSRF/XSS, garantir DRY e clean code. These are concrete, actionable capabilities. | 3 / 3 |
Completeness | Clearly answers both 'what' (auditoria de segurança, revisar código para vulnerabilidades, validar auth, checar OWASP Top 10, etc.) and 'when' with an explicit 'Use quando' clause and a dedicated 'Trigger em' list specifying exact keywords. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms in both Portuguese and English: 'segurança', 'security review', 'vulnerabilidade', 'OWASP', 'XSS', 'CSRF', 'CORS', 'injection', 'HttpOnly', 'cookie seguro', 'DRY', 'code review', 'boas práticas', 'audit', 'pentest', 'sanitização'. These are terms users would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Clearly occupies a distinct niche of security auditing and review. The specific security-focused triggers (OWASP, XSS, CSRF, injection, pentest, sanitização) are unlikely to conflict with general code review or other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides highly actionable, concrete security review guidance with executable code examples and detailed checklists, which is its primary strength. However, it is significantly over-verbose — inlining extensive OWASP checklists, SOLID/DRY explanations, and full code blocks that should either be in referenced files or trimmed given Claude's existing knowledge. The review workflow itself lacks clear sequencing and validation checkpoints for the audit process.
Suggestions
Move the full OWASP Top 10 checklists, DRY/SOLID checklists, and code examples into a referenced file (e.g., docs/skill-guides/security-review.md) and keep only a summary with key non-obvious items in the main SKILL.md.
Remove explanations of concepts Claude already knows (what SOLID stands for, what DRY means, basic security concepts) and keep only the project-specific conventions and thresholds.
Add an explicit step-by-step workflow for conducting the review (e.g., 1. Scan dependencies → 2. Review auth flow → 3. Check headers → 4. Code review → 5. Generate report) with validation checkpoints between steps.
Remove the 'Código Limpo' section which duplicates content already in the DRY Checklist section above it.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~300+ lines. It explains basic concepts Claude already knows (SOLID principles, what DRY means, what XSS is), includes full OWASP Top 10 checklists that are general knowledge, and has redundant sections (e.g., 'Código Limpo' repeats what's already in the DRY checklist). The anti-rationalization table and governance preamble add significant token overhead with limited actionable value. | 1 / 3 |
Actionability | The skill provides fully executable TypeScript code examples for security headers, CORS configuration, CSRF protection, and XSS prevention. Checklists are concrete with specific items to verify, and the report template is copy-paste ready with clear structure. | 3 / 3 |
Workflow Clarity | The handoff criteria are clear (5 conditions before releasing to Deployer), and the report template provides a structured output. However, the overall review workflow lacks explicit sequencing — there's no clear step-by-step process for conducting the review itself, no validation checkpoints during the audit, and no feedback loop for when findings are discovered and need re-verification after fixes. | 2 / 3 |
Progressive Disclosure | References to external files exist (docs/skill-guides/security-review.md, personas/security-auditor.md, various policies), but the main file is monolithic with extensive inline checklists and code that could be split into referenced files. The OWASP checklist, code examples, and DRY/SOLID checklists bloat the main skill when they could be in separate reference documents. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
Total | 10 / 11 Passed | |
- Repository
- felvieira/claude-skills-fv
- Commit
7577622
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.