detecting-sql-injection-vulnerabilities
This skill enables Claude to detect SQL injection vulnerabilities in code. It uses the sql-injection-detector plugin to analyze codebases, identify potential SQL injection flaws, and provide remediation guidance. Use this skill when the user asks to find SQL injection vulnerabilities, scan for SQL injection, or check code for SQL injection risks. The skill is triggered by phrases like "detect SQL injection", "scan for SQLi", or "check for SQL injection vulnerabilities".
85
50%
Does it follow best practices?
Impact
92%
1.13xAverage score across 9 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./backups/skills-migration-20251108-070147/plugins/security/sql-injection-detector/skills/sql-injection-detector/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly defines its purpose, lists concrete capabilities, and provides explicit trigger guidance. It covers natural user language variations including the common abbreviation 'SQLi'. The description is well-structured with a clear 'Use this skill when...' clause that makes selection unambiguous.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple concrete actions: detect SQL injection vulnerabilities, analyze codebases, identify potential SQL injection flaws, and provide remediation guidance. These are specific, actionable capabilities. | 3 / 3 |
Completeness | Clearly answers both 'what' (detect SQL injection vulnerabilities, analyze codebases, identify flaws, provide remediation) and 'when' (explicit 'Use this skill when...' clause with specific trigger phrases). | 3 / 3 |
Trigger Term Quality | Includes excellent natural trigger terms users would say: 'SQL injection', 'SQLi', 'scan for SQL injection', 'check for SQL injection vulnerabilities', 'detect SQL injection'. Covers common variations including the abbreviation 'SQLi'. | 3 / 3 |
Distinctiveness Conflict Risk | Very clearly scoped to SQL injection detection specifically, with distinct triggers like 'SQLi' and 'SQL injection'. Unlikely to conflict with general code review or other security scanning skills due to the narrow, well-defined focus. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill content is almost entirely descriptive marketing copy rather than actionable technical guidance. It explains what the skill does conceptually but never shows how to actually invoke the sql-injection-detector plugin, what arguments it takes, what its output looks like, or how to interpret results. Every section restates information Claude already knows or could infer, wasting significant token budget.
Suggestions
Replace the abstract 'How It Works' section with concrete plugin invocation syntax, e.g., the exact command or function call to run the sql-injection-detector with specific arguments and flags.
Add a real example showing actual vulnerable code input and the expected scanner output format (JSON, table, etc.) so Claude knows what to produce.
Remove the 'Overview', 'When to Use', 'Best Practices', and 'Integration' sections entirely — they explain concepts Claude already knows and duplicate the skill description metadata.
Add validation/error handling steps: what to do when the plugin fails, how to handle false positives, and how to verify remediation was successful.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose with extensive padding. The 'Overview' restates the description, 'How It Works' explains obvious plugin mechanics, 'When to Use' repeats trigger conditions from metadata, 'Integration' section adds no actionable value, and 'Best Practices' explains SQL injection prevention concepts Claude already knows well. | 1 / 3 |
Actionability | No concrete code, commands, or executable guidance anywhere. The examples describe what the skill 'will do' in abstract terms rather than showing actual plugin invocation syntax, command-line usage, or output formats. There is no copy-paste ready content. | 1 / 3 |
Workflow Clarity | The steps listed are vague descriptions of what the plugin does internally ('analyzes code patterns, input vectors') rather than actionable steps Claude should follow. No validation checkpoints, no error handling, no feedback loops, and no concrete sequencing of actual operations. | 1 / 3 |
Progressive Disclosure | Monolithic content with no references to external files and no meaningful structural organization. All sections contain roughly the same level of vague abstraction with no layering of quick-start vs. advanced content. No bundle files exist to reference either. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Commit
13d35b8
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.