secure-code-guardian
tessl i github:jeffallan/claude-skills --skill secure-code-guardianUse when implementing authentication/authorization, securing user input, or preventing OWASP Top 10 vulnerabilities. Invoke for authentication, authorization, input validation, encryption, OWASP Top 10 prevention.
Review Score
64%
Validation Score
12/16
Implementation Score
42%
Activation Score
82%
Generated
Validation
Total
12/16Score
Passed| Criteria | Score |
|---|---|
metadata_version | 'metadata' field is not a dictionary |
license_field | 'license' field is missing |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata |
body_examples | No examples detected (no code fences and no 'Example' wording) |
Implementation
Suggestions 4
Score
42%Overall Assessment
This skill has strong progressive disclosure with a well-organized reference table, but critically lacks actionable code examples for security implementations. The constraints sections provide good guardrails but remain abstract. For a security skill covering authentication and input validation, the absence of executable code significantly limits its utility.
Suggestions
- Add executable code examples for critical patterns: bcrypt password hashing, parameterized SQL queries, and input validation with Zod
- Remove the role-play framing ('You are a senior security engineer...') and 'Knowledge Reference' section - Claude already knows these concepts
- Add validation checkpoints to the workflow, e.g., 'Validate: Test that authentication rejects invalid credentials before proceeding'
- Include at least one complete, copy-paste ready security implementation in the main skill file (e.g., a secure login endpoint)
| Dimension | Score | Reasoning |
|---|---|---|
Conciseness | 2/3 | The skill includes some unnecessary framing ('You are a senior security engineer with 10+ years...') and the 'Knowledge Reference' section lists concepts Claude already knows. However, the core content is reasonably efficient with good use of tables and lists. |
Actionability | 1/3 | The skill provides no executable code examples despite covering implementation topics like password hashing, parameterized queries, and JWT. All guidance is abstract ('Hash passwords with bcrypt/argon2') without showing how to actually do it. |
Workflow Clarity | 2/3 | The 5-step workflow is listed but lacks validation checkpoints and feedback loops. For security-critical operations like authentication implementation, there should be explicit verification steps (e.g., 'test that invalid passwords are rejected'). |
Progressive Disclosure | 3/3 | Excellent use of a reference table with clear 'Load When' conditions pointing to one-level-deep reference files. The structure clearly separates overview content from detailed guidance in external files. |
Activation
Suggestions 2
Score
82%Overall Assessment
This description effectively communicates when to use the skill with explicit trigger terms and a clear 'Use when' clause. However, it lacks specificity in describing concrete actions—it lists security categories rather than specific capabilities. The broad scope covering all of OWASP Top 10 plus auth/encryption may create conflicts with more specialized security skills.
Suggestions
- Add specific concrete actions like 'implement password hashing, sanitize SQL queries, configure CORS headers, set up JWT tokens' to improve specificity
- Consider narrowing scope or adding distinguishing details to reduce potential conflicts with specialized auth or encryption skills
| Dimension | Score | Reasoning |
|---|---|---|
Specificity | 2/3 | Names the security domain and lists some actions (authentication, authorization, input validation, encryption, OWASP Top 10 prevention), but these are high-level categories rather than concrete specific actions like 'hash passwords with bcrypt' or 'sanitize SQL queries'. |
Completeness | 3/3 | Explicitly answers both what (implementing auth, securing input, preventing OWASP vulnerabilities) and when ('Use when implementing authentication/authorization, securing user input') with clear trigger guidance via 'Invoke for' clause. |
Trigger Term Quality | 3/3 | Good coverage of natural terms users would say: 'authentication', 'authorization', 'input validation', 'encryption', 'OWASP Top 10' are all terms developers naturally use when discussing security concerns. |
Distinctiveness Conflict Risk | 2/3 | Security is a clear domain, but 'input validation' could overlap with general form handling skills, and 'authentication' could conflict with specific OAuth or SSO skills. The broad scope increases potential for overlap. |