security-review
Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns.
93
73%
Does it follow best practices?
Impact
97%
1.07xAverage score across 9 eval scenarios
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./docs/zh-TW/skills/security-review/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description has strong trigger term coverage and completeness with an explicit 'Use when' clause listing multiple scenarios. However, it lacks specificity about concrete actions (what does 'security checklist and patterns' actually do?) and could potentially conflict with API or authentication-focused skills that aren't security-specific.
Suggestions
Replace 'Provides comprehensive security checklist and patterns' with specific actions like 'Reviews code for vulnerabilities, implements input validation, configures secure headers, encrypts sensitive data'
Add distinguishing terms to reduce conflict risk, such as 'security audit', 'vulnerability', 'OWASP', or 'secure coding practices'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (security) and lists several areas (authentication, user input, secrets, API endpoints, payment features), but lacks concrete actions - 'Provides comprehensive security checklist and patterns' is vague about what specific actions are performed. | 2 / 3 |
Completeness | Explicitly answers both what ('Provides comprehensive security checklist and patterns') and when ('Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features'). | 3 / 3 |
Trigger Term Quality | Includes natural keywords users would say: 'authentication', 'user input', 'secrets', 'API endpoints', 'payment', 'sensitive features'. These are terms developers naturally use when discussing security concerns. | 3 / 3 |
Distinctiveness Conflict Risk | While security-focused, terms like 'API endpoints' and 'user input' could overlap with general API development or form handling skills. The security niche is clear but boundaries with adjacent skills could blur. | 2 / 3 |
Total | 10 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a comprehensive security checklist with excellent actionable code examples covering OWASP-style vulnerabilities. The main weaknesses are its length (could benefit from splitting into focused sub-documents) and lack of explicit workflow integration showing when/how to apply these checks during the development lifecycle.
Suggestions
Split detailed sections (e.g., Supabase RLS, CSP configuration, blockchain security) into separate reference files and link from the main skill
Add a workflow section showing when to apply security checks during development (e.g., 'Before PR: run npm audit, check for hardcoded secrets; Before deploy: complete checklist')
Remove redundant explanations - the ❌/✅ pattern is effective but some sections over-explain (e.g., the SQL injection section could just show the patterns without the 'dangerous' comment)
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is comprehensive but includes some redundant explanations (e.g., explaining what SQL injection is through examples rather than just showing the pattern). The extensive checklists and multiple code examples for each section add length, though most content is actionable. | 2 / 3 |
Actionability | Excellent executable code examples throughout - TypeScript/JavaScript patterns are copy-paste ready, SQL examples are complete, and each security concern has concrete do/don't examples with real library imports (zod, DOMPurify, etc.). | 3 / 3 |
Workflow Clarity | While individual security checks are clear, the skill lacks explicit workflow sequencing for when to apply these checks during development. The deployment checklist is helpful but there's no validation feedback loop for security testing integration. | 2 / 3 |
Progressive Disclosure | Content is well-organized with clear section headers and the structure is logical, but the skill is monolithic (~400 lines) with all content inline. External resources are listed but detailed topics like RLS or CSP could be split into separate reference files. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- haniakrim21/everything-claude-code
- Commit
ae2cadd
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.