checking-owasp-compliance
This skill uses the owasp-compliance-checker plugin to automatically identify potential security vulnerabilities based on the OWASP Top 10 (2021) list. It helps ensure your application adheres to industry-standard security practices by providing a detailed analysis of compliance gaps and offering remediation guidance. Use this skill when you need to audit your code for OWASP compliance, identify and fix vulnerabilities, or generate a compliance report. Trigger this skill by asking to "check OWASP compliance", "scan for OWASP vulnerabilities", or using the `/owasp` shortcut.
Install with Tessl CLI
npx tessl i github:jeremylongshore/claude-code-plugins-plus-skills --skill checking-owasp-compliance90
Quality
60%
Does it follow best practices?
Impact
97%
1.07xAverage score across 9 eval scenarios
Optimize this skill with Tessl
npx tessl skill review --optimize ./backups/skill-structure-cleanup-20251108-073936/plugins/security/owasp-compliance-checker/skills/owasp-compliance-checker/SKILL.mdDiscovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted skill description that clearly articulates specific capabilities (vulnerability identification, compliance analysis, remediation guidance), provides explicit trigger conditions, and includes natural user phrases. The only minor issue is the use of second person ('your application', 'your code') which slightly deviates from the preferred third person voice, but this doesn't significantly impact the description's effectiveness.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple concrete actions: 'identify potential security vulnerabilities', 'detailed analysis of compliance gaps', 'offering remediation guidance', 'audit your code', 'identify and fix vulnerabilities', 'generate a compliance report'. | 3 / 3 |
Completeness | Clearly answers both what (identifies vulnerabilities, provides analysis and remediation guidance) AND when ('Use this skill when you need to audit...', 'Trigger this skill by asking...'). | 3 / 3 |
Trigger Term Quality | Includes natural trigger terms users would say: 'check OWASP compliance', 'scan for OWASP vulnerabilities', '/owasp shortcut', 'audit', 'compliance report', 'security vulnerabilities'. | 3 / 3 |
Distinctiveness Conflict Risk | Highly specific niche focused on OWASP Top 10 (2021) compliance with distinct triggers like '/owasp' shortcut and 'OWASP compliance' - unlikely to conflict with general security or code review skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
20%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill content is overly verbose and lacks actionable guidance. It describes what the plugin does conceptually but never shows how to actually use it - no command syntax, no output examples, no error handling. The content reads like marketing copy rather than technical documentation Claude can execute.
Suggestions
Add concrete plugin invocation syntax (e.g., the actual command or API call to trigger the owasp-compliance-checker)
Include an example of actual plugin output format so Claude knows what to expect and how to parse results
Remove explanatory content about what OWASP is and why security matters - Claude already knows this
Add error handling guidance: what happens if the scan fails, times out, or finds no issues
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose with unnecessary explanations Claude already knows (what OWASP is, why security matters). Heavy padding with phrases like 'empowers Claude' and 'actionable insights' that add no value. The entire content could be reduced to ~20 lines. | 1 / 3 |
Actionability | No concrete code, commands, or executable examples. Describes what the skill 'will do' abstractly but never shows actual plugin invocation syntax, expected output format, or specific commands. The examples are narrative descriptions, not actionable instructions. | 1 / 3 |
Workflow Clarity | Steps are listed (initiate, analyze, generate) but lack specifics. No validation checkpoints, no error handling guidance, no feedback loops for when scans fail or produce unexpected results. The workflow is conceptual rather than operational. | 2 / 3 |
Progressive Disclosure | Content is organized into sections but everything is inline in one file. Mentions integration possibilities but doesn't link to any reference documentation. The structure exists but content that could be separate (OWASP categories, remediation patterns) is neither included nor referenced. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.