checking-owasp-compliance
tessl i github:jeremylongshore/claude-code-plugins-plus-skills --skill checking-owasp-complianceThis skill uses the owasp-compliance-checker plugin to automatically identify potential security vulnerabilities based on the OWASP Top 10 (2021) list. It helps ensure your application adheres to industry-standard security practices by providing a detailed analysis of compliance gaps and offering remediation guidance. Use this skill when you need to audit your code for OWASP compliance, identify and fix vulnerabilities, or generate a compliance report. Trigger this skill by asking to "check OWASP compliance", "scan for OWASP vulnerabilities", or using the `/owasp` shortcut.
Validation
63%| Criteria | Description | Result |
|---|---|---|
description_voice | 'description' should use third person voice; found second person: 'your ' | Warning |
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
metadata_version | 'metadata' field is not a dictionary | Warning |
license_field | 'license' field is missing | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
body_output_format | No obvious output/return/format terms detected; consider specifying expected outputs | Warning |
Total | 10 / 16 Passed | |
Implementation
20%This skill content is primarily descriptive marketing copy rather than actionable technical guidance. It explains what the skill does conceptually but provides zero executable examples, no actual plugin command syntax, and no concrete output formats. Claude cannot effectively use this skill because it lacks the specific invocation details and expected behaviors needed for execution.
Suggestions
Add actual plugin invocation syntax with concrete examples (e.g., the exact command or function call to run the OWASP checker)
Include a real example of plugin output format so Claude knows what to expect and how to interpret results
Remove explanatory content about what OWASP is and why security matters - Claude already knows this
Add validation steps: how to verify the scan completed successfully, how to confirm fixes resolved the identified issues
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose with unnecessary explanations Claude already knows. Phrases like 'This skill empowers Claude' and extensive descriptions of what OWASP is and why security matters waste tokens. The content could be reduced by 70%+ while preserving all actionable information. | 1 / 3 |
Actionability | No concrete code, commands, or executable guidance provided. The skill describes what happens abstractly ('The skill will activate the plugin') but never shows actual plugin invocation syntax, command parameters, or real output examples. Everything is vague description rather than instruction. | 1 / 3 |
Workflow Clarity | Steps are listed (Initiate Scan → Analyze → Generate Report) but lack any validation checkpoints or error handling. No guidance on what to do if the scan fails, how to interpret results, or how to verify fixes were applied correctly. | 2 / 3 |
Progressive Disclosure | Content is reasonably organized with clear sections, but everything is inline in one file with no references to detailed documentation. The 'Integration' section hints at advanced usage but provides no links or concrete guidance. | 2 / 3 |
Total | 6 / 12 Passed |
Activation
100%This is a well-crafted skill description that clearly articulates specific capabilities (vulnerability identification, compliance analysis, remediation guidance), provides explicit 'Use when' guidance, and includes natural trigger terms users would actually say. The only minor issue is the use of second person ('your application', 'your code') which slightly deviates from the preferred third person voice, but this doesn't significantly impact the description's effectiveness.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple concrete actions: 'identify potential security vulnerabilities', 'detailed analysis of compliance gaps', 'offering remediation guidance', 'audit your code', 'identify and fix vulnerabilities', 'generate a compliance report'. | 3 / 3 |
Completeness | Clearly answers both what (identifies vulnerabilities, provides analysis and remediation guidance) AND when ('Use this skill when you need to audit your code for OWASP compliance...') with explicit trigger phrases. | 3 / 3 |
Trigger Term Quality | Includes natural trigger terms users would say: 'check OWASP compliance', 'scan for OWASP vulnerabilities', '/owasp shortcut', 'audit', 'compliance report', 'security vulnerabilities'. | 3 / 3 |
Distinctiveness Conflict Risk | Highly specific niche focused on OWASP Top 10 (2021) compliance checking with distinct triggers like '/owasp' shortcut and 'OWASP compliance' - unlikely to conflict with general security or code review skills. | 3 / 3 |
Total | 12 / 12 Passed |
Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.