secure-code-guardian
Use when implementing authentication/authorization, securing user input, or preventing OWASP Top 10 vulnerabilities. Invoke for authentication, authorization, input validation, encryption, OWASP Top 10 prevention.
Install with Tessl CLI
npx tessl i github:jeffallan/claude-skills --skill secure-code-guardianOverall
score
64%
Does it follow best practices?
If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:
npx tessl skill review --optimize ./path/to/skillValidation for skill structure
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description effectively communicates when to use the skill with explicit trigger terms and a clear 'Use when' clause. However, it lacks specificity in describing concrete actions—it lists security categories rather than specific capabilities. The broad scope covering all of OWASP Top 10 plus auth/encryption may create conflicts with more specialized security skills.
Suggestions
Add specific concrete actions like 'implement password hashing, sanitize SQL queries, configure CORS headers, set up JWT tokens' to improve specificity
Consider narrowing scope or adding distinguishing details to reduce potential conflicts with specialized auth or encryption skills
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the security domain and lists some actions (authentication, authorization, input validation, encryption, OWASP Top 10 prevention), but these are high-level categories rather than concrete specific actions like 'hash passwords with bcrypt' or 'sanitize SQL queries'. | 2 / 3 |
Completeness | Explicitly answers both what (implementing auth, securing input, preventing OWASP vulnerabilities) and when ('Use when implementing authentication/authorization, securing user input') with clear trigger guidance via 'Invoke for' clause. | 3 / 3 |
Trigger Term Quality | Good coverage of natural terms users would say: 'authentication', 'authorization', 'input validation', 'encryption', 'OWASP Top 10' are all terms developers naturally use when discussing security concerns. | 3 / 3 |
Distinctiveness Conflict Risk | Security is a clear domain, but 'input validation' could overlap with general form handling skills, and 'authentication' could conflict with specific OAuth or SSO skills. The broad scope increases potential for overlap. | 2 / 3 |
Total | 10 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill has strong progressive disclosure with a well-organized reference table, but critically lacks actionable code examples for security implementations. The constraints sections provide good guardrails but remain abstract. For a security skill covering authentication and input validation, the absence of executable code significantly limits its utility.
Suggestions
Add executable code examples for critical patterns: bcrypt password hashing, parameterized SQL queries, and input validation with Zod
Remove the role-play framing ('You are a senior security engineer...') and 'Knowledge Reference' section - Claude already knows these concepts
Add validation checkpoints to the workflow, e.g., 'Validate: Test that authentication rejects invalid credentials before proceeding'
Include at least one complete, copy-paste ready security implementation in the main skill file (e.g., a secure login endpoint)
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill includes some unnecessary framing ('You are a senior security engineer with 10+ years...') and the 'Knowledge Reference' section lists concepts Claude already knows. However, the core content is reasonably efficient with good use of tables and lists. | 2 / 3 |
Actionability | The skill provides no executable code examples despite covering implementation topics like password hashing, parameterized queries, and JWT. All guidance is abstract ('Hash passwords with bcrypt/argon2') without showing how to actually do it. | 1 / 3 |
Workflow Clarity | The 5-step workflow is listed but lacks validation checkpoints and feedback loops. For security-critical operations like authentication implementation, there should be explicit verification steps (e.g., 'test that invalid passwords are rejected'). | 2 / 3 |
Progressive Disclosure | Excellent use of a reference table with clear 'Load When' conditions pointing to one-level-deep reference files. The structure clearly separates overview content from detailed guidance in external files. | 3 / 3 |
Total | 8 / 12 Passed |
Validation
75%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 12 / 16 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
metadata_version | 'metadata' field is not a dictionary | Warning |
license_field | 'license' field is missing | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
body_examples | No examples detected (no code fences and no 'Example' wording) | Warning |
Total | 12 / 16 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.