secure-code-guardian
Use when implementing authentication/authorization, securing user input, or preventing OWASP Top 10 vulnerabilities — including custom security implementations such as hashing passwords with bcrypt/argon2, sanitizing SQL queries with parameterized statements, configuring CORS/CSP headers, validating input with Zod, and setting up JWT tokens. Invoke for authentication, authorization, input validation, encryption, OWASP Top 10 prevention, secure session management, and security hardening. For pre-built OAuth/SSO integrations or standalone security audits, consider a more specialized skill.
94
92%
Does it follow best practices?
Impact
95%
1.30xAverage score across 6 eval scenarios
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that hits all the key criteria. It provides highly specific concrete actions with named technologies, includes abundant natural trigger terms that developers would use, clearly delineates both what the skill does and when to invoke it, and even includes boundary conditions to reduce overlap with related skills. The only minor note is that the description is somewhat dense, but the information density is justified by the breadth of the security domain.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: hashing passwords with bcrypt/argon2, sanitizing SQL queries with parameterized statements, configuring CORS/CSP headers, validating input with Zod, setting up JWT tokens. These are highly specific and actionable. | 3 / 3 |
Completeness | Clearly answers both 'what' (custom security implementations like password hashing, SQL sanitization, CORS/CSP configuration, input validation, JWT setup) and 'when' (explicit 'Use when implementing authentication/authorization, securing user input, or preventing OWASP Top 10 vulnerabilities'). Also includes boundary guidance about when NOT to use it (OAuth/SSO integrations, standalone audits). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: authentication, authorization, input validation, encryption, OWASP Top 10, bcrypt, argon2, CORS, CSP, JWT, parameterized statements, Zod, session management, security hardening. These are terms developers naturally use when seeking security help. | 3 / 3 |
Distinctiveness Conflict Risk | Carves out a clear niche around custom security implementation with specific technology triggers (bcrypt, argon2, Zod, JWT, CORS/CSP). The explicit exclusion of pre-built OAuth/SSO integrations and standalone security audits further reduces conflict risk with adjacent skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
85%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong security skill with excellent actionability through complete, executable TypeScript examples covering the most critical security patterns. The workflow is well-structured with explicit validation checkpoints, and progressive disclosure is handled cleanly via the reference table. Minor inefficiencies exist in redundant sections (Knowledge Reference, Output Templates) and some over-explanation that could be trimmed.
Suggestions
Remove the 'Knowledge Reference' section — it's just a list of terms Claude already knows and adds no actionable value.
Replace the vague 'Output Templates' section with either a concrete example of expected output or remove it entirely, as the code examples already demonstrate the expected implementation pattern.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is mostly efficient with good code examples, but includes some unnecessary elements like the 'Knowledge Reference' section at the bottom (Claude already knows these acronyms), the 'Output Templates' section is vague filler, and some inline comments over-explain obvious things. The constraints section, while useful, partially restates what the code examples already demonstrate. | 2 / 3 |
Actionability | Excellent actionability — provides fully executable TypeScript code examples for password hashing, parameterized queries, input validation with Zod, JWT verification, and a complete secured endpoint flow. All examples are copy-paste ready with real libraries and realistic patterns. | 3 / 3 |
Workflow Clarity | The core workflow is clearly sequenced (threat model → design → implement → validate → document) with explicit validation checkpoints that specify concrete test cases for authentication, authorization, input handling, and headers. The full-flow endpoint example demonstrates the numbered steps in practice, and the validation section includes specific payloads and tools to verify. | 3 / 3 |
Progressive Disclosure | Well-structured with a clear overview, a reference table pointing to one-level-deep topic-specific files with 'Load When' guidance, and inline code examples for the most common patterns. The table format makes navigation easy and the references are clearly signaled. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- jeffallan/claude-skills
- Commit
3d95bb1
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.