secure-code-guardian
Use when implementing authentication/authorization, securing user input, or preventing OWASP Top 10 vulnerabilities — including custom security implementations such as hashing passwords with bcrypt/argon2, sanitizing SQL queries with parameterized statements, configuring CORS/CSP headers, validating input with Zod, and setting up JWT tokens. Invoke for authentication, authorization, input validation, encryption, OWASP Top 10 prevention, secure session management, and security hardening. For pre-built OAuth/SSO integrations or standalone security audits, consider a more specialized skill.
72
88%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that excels across all dimensions. It provides highly specific concrete actions with named technologies, includes abundant natural trigger terms that developers would use, explicitly addresses both what and when, and clearly delineates its boundaries from related skills. The only minor note is that it uses imperative voice ('Use when', 'Invoke for') rather than third person declarative, but this is a common and acceptable pattern for skill descriptions.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: hashing passwords with bcrypt/argon2, sanitizing SQL queries with parameterized statements, configuring CORS/CSP headers, validating input with Zod, setting up JWT tokens. These are highly specific and actionable. | 3 / 3 |
Completeness | Clearly answers both 'what' (custom security implementations like hashing, sanitizing, configuring headers, validating input, JWT setup) and 'when' (explicit 'Use when implementing authentication/authorization, securing user input, or preventing OWASP Top 10 vulnerabilities' and 'Invoke for...' clause). Also includes boundary guidance for when NOT to use it. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: authentication, authorization, input validation, encryption, OWASP Top 10, bcrypt, argon2, SQL, CORS, CSP, JWT, session management, security hardening, passwords, Zod. These are terms developers naturally use when seeking security help. | 3 / 3 |
Distinctiveness Conflict Risk | Carves out a clear niche around custom security implementation with specific technologies (bcrypt, argon2, Zod, JWT, parameterized statements). The boundary clause explicitly distinguishes it from OAuth/SSO integration skills and standalone security audit skills, reducing conflict risk. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong, actionable security skill with excellent executable code examples covering the most critical security patterns (password hashing, parameterized queries, input validation, JWT, full endpoint security). The workflow is well-structured with explicit validation checkpoints. Minor weaknesses include some unnecessary content (Knowledge Reference list, generic Output Templates section) and the fact that referenced bundle files don't exist, undermining the progressive disclosure structure.
Suggestions
Remove the 'Knowledge Reference' keyword list — Claude already knows these concepts, and the reference table above already provides navigation.
Either provide the referenced files (references/owasp-prevention.md, etc.) as bundle files or remove the reference table to avoid pointing to non-existent resources.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is mostly efficient with good code examples, but includes some unnecessary elements like the 'Knowledge Reference' list of terms Claude already knows, the 'Output Templates' section which is generic, and minor verbosity in comments. The code examples themselves are well-commented without being excessive. | 2 / 3 |
Actionability | The skill provides fully executable, copy-paste-ready TypeScript code examples covering password hashing, parameterized queries, input validation, JWT verification, and a complete endpoint flow. Each example is concrete, uses real libraries, and demonstrates the correct pattern alongside anti-patterns. | 3 / 3 |
Workflow Clarity | The core workflow is clearly sequenced (threat model → design → implement → validate → document) with explicit validation checkpoints that specify what to test for each security domain (authentication, authorization, input handling, headers). The full endpoint example also demonstrates a clear 4-step flow with inline comments marking each phase. | 3 / 3 |
Progressive Disclosure | The reference table with 'Load When' guidance is well-structured and signals one-level-deep references clearly. However, no bundle files are provided, so the referenced files (references/owasp-prevention.md, etc.) don't actually exist, making the progressive disclosure structure aspirational rather than functional. The main file also includes substantial inline code that could arguably be split into reference files. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- jeffallan/claude-skills
- Commit
e8be415
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.