hardcoded-credential-finder
Hardcoded Credential Finder - Auto-activating skill for Security Fundamentals. Triggers on: hardcoded credential finder, hardcoded credential finder Part of the Security Fundamentals skill category.
35
3%
Does it follow best practices?
Impact
93%
0.94xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./planned-skills/generated/03-security-fundamentals/hardcoded-credential-finder/SKILL.mdQuality
Discovery
7%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is extremely weak — it essentially just restates the skill name without describing any concrete capabilities, use cases, or natural trigger terms. It provides no actionable information for Claude to determine when to select this skill over others, and the trigger terms are redundantly identical to the skill title.
Suggestions
Add specific concrete actions the skill performs, e.g., 'Scans source code for hardcoded passwords, API keys, tokens, and secrets. Reports file locations and suggests secure alternatives like environment variables or secret managers.'
Add a 'Use when...' clause with natural trigger terms, e.g., 'Use when the user asks about finding secrets in code, detecting hardcoded passwords, API key leaks, credential scanning, or security auditing source files.'
Include common file types or contexts, e.g., 'Works with source code files (.py, .js, .java, .env, config files) to identify exposed credentials and sensitive strings.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain ('hardcoded credential finder') but does not describe any concrete actions like scanning files, detecting API keys, flagging passwords, or suggesting remediation. It merely repeats the skill name without explaining what it actually does. | 1 / 3 |
Completeness | The description fails to clearly answer 'what does this do' beyond the name, and the 'when' clause is essentially just the skill name repeated. There is no explicit 'Use when...' guidance with meaningful triggers. | 1 / 3 |
Trigger Term Quality | The trigger terms are just the skill name repeated twice ('hardcoded credential finder'). It lacks natural keywords users would say such as 'secrets', 'API keys', 'passwords in code', 'credential scanning', 'leaked secrets', or 'hardcoded passwords'. | 1 / 3 |
Distinctiveness Conflict Risk | The term 'hardcoded credential finder' is somewhat specific to a niche (security scanning for credentials), which provides some distinctiveness. However, the lack of concrete actions or file types means it could overlap with broader security scanning skills. | 2 / 3 |
Total | 5 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is essentially a placeholder with no substantive content. It contains only meta-descriptions of what it claims to do without any actual instructions, code examples, regex patterns, or concrete guidance for finding hardcoded credentials. It fails on every dimension because it provides zero actionable information.
Suggestions
Add concrete code examples for scanning files for hardcoded credentials (e.g., regex patterns for API keys, passwords, tokens, connection strings)
Include a clear workflow: 1) Define file types to scan, 2) Run pattern matching, 3) Classify findings by severity, 4) Validate findings to reduce false positives
Provide specific examples of common hardcoded credential patterns (AWS keys, GitHub tokens, database connection strings) with detection regex
Remove all meta-description sections ('Purpose', 'When to Use', 'Example Triggers') and replace with actionable content that teaches how to actually find hardcoded credentials
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is entirely filler and meta-description. It explains what the skill does in abstract terms without providing any actual instructions, code, or concrete guidance. Every section restates the same vague information. | 1 / 3 |
Actionability | There is zero actionable content—no code, no commands, no specific patterns to detect hardcoded credentials, no regex examples, no file scanning approaches. It only describes rather than instructs. | 1 / 3 |
Workflow Clarity | No workflow is defined. The skill claims to provide 'step-by-step guidance' but contains no actual steps, no sequence, and no validation checkpoints for finding hardcoded credentials. | 1 / 3 |
Progressive Disclosure | The content is a flat, monolithic block of vague descriptions with no references to detailed materials, no links to related files, and no structured navigation to deeper content. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
3076d78
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.