hardcoded-credential-finder
Hardcoded Credential Finder - Auto-activating skill for Security Fundamentals. Triggers on: hardcoded credential finder, hardcoded credential finder Part of the Security Fundamentals skill category.
35
3%
Does it follow best practices?
Impact
93%
0.94xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./planned-skills/generated/03-security-fundamentals/hardcoded-credential-finder/SKILL.mdQuality
Discovery
7%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is extremely weak—it essentially just restates the skill name without describing what the skill actually does, what actions it performs, or when Claude should select it. It lacks concrete capabilities, natural trigger terms, and any explicit 'Use when' guidance, making it nearly useless for skill selection among multiple options.
Suggestions
Add specific concrete actions such as 'Scans source code for hardcoded API keys, passwords, tokens, and secrets; flags insecure credential storage; suggests secure alternatives like environment variables or secret managers.'
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks to find secrets in code, detect hardcoded passwords, scan for API keys, or review code for credential leaks.'
Include natural trigger terms users would actually say, such as 'secrets', 'API keys', 'passwords in code', 'credential leak', 'secret scanning', '.env', 'token exposure'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain ('hardcoded credential finder') but does not describe any concrete actions like scanning files, detecting API keys, flagging passwords, or suggesting remediation. It merely repeats the skill name. | 1 / 3 |
Completeness | The 'what' is extremely weak (no concrete actions described) and the 'when' is missing entirely—there is no 'Use when...' clause or equivalent explicit trigger guidance beyond repeating the skill name. | 1 / 3 |
Trigger Term Quality | The trigger terms are just the skill name repeated twice ('hardcoded credential finder'). It misses natural user terms like 'secrets in code', 'API keys', 'passwords in source', 'credential scanning', 'secret detection', or 'leaked credentials'. | 1 / 3 |
Distinctiveness Conflict Risk | The term 'hardcoded credential finder' is somewhat specific to a niche (security credential scanning), which reduces conflict risk with unrelated skills. However, the lack of detail means it could overlap with broader security scanning or code review skills. | 2 / 3 |
Total | 5 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is essentially a placeholder or stub with no substantive content. It contains only meta-descriptions of what the skill would do without any actual instructions, code examples, detection patterns, or workflows for finding hardcoded credentials. It provides no value beyond what Claude already knows about the topic.
Suggestions
Add concrete, executable code examples for scanning files for hardcoded credentials (e.g., regex patterns for API keys, passwords, tokens in source code)
Define a clear multi-step workflow: identify target files → scan with patterns → classify findings → report results, with validation at each step
Include specific patterns to detect (e.g., AWS keys, database connection strings, JWT secrets) with real regex or grep commands
Remove all meta-description sections ('Purpose', 'When to Use', 'Example Triggers') and replace with actionable content that teaches how to actually find hardcoded credentials
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is entirely filler and meta-description. It explains what the skill does in abstract terms without providing any actual instructions, code, or concrete guidance. Every section restates the same vague information. | 1 / 3 |
Actionability | There is zero actionable content—no code, no commands, no patterns to detect hardcoded credentials, no regex examples, no file scanning approaches. It only describes what the skill would do rather than actually doing it. | 1 / 3 |
Workflow Clarity | No workflow is defined. There are no steps, no sequence, no validation checkpoints. The 'Capabilities' section mentions 'step-by-step guidance' but none is actually provided. | 1 / 3 |
Progressive Disclosure | The content is a flat, monolithic block of meta-descriptions with no references to detailed materials, no linked resources, and no structured navigation to deeper content. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
87f14eb
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.