hardcoded-credential-finder
Hardcoded Credential Finder - Auto-activating skill for Security Fundamentals. Triggers on: hardcoded credential finder, hardcoded credential finder Part of the Security Fundamentals skill category.
Install with Tessl CLI
npx tessl i github:jeremylongshore/claude-code-plugins-plus-skills --skill hardcoded-credential-finderOverall
score
19%
Does it follow best practices?
Validation for skill structure
Activation
7%This description is severely lacking in substance. It merely states the skill name and category without explaining what actions the skill performs, what triggers should activate it, or when Claude should select it. The redundant trigger terms and boilerplate structure provide no useful information for skill selection.
Suggestions
Add specific actions the skill performs, e.g., 'Scans source code to detect hardcoded passwords, API keys, tokens, and other sensitive credentials'
Replace the redundant trigger terms with natural user phrases like 'secrets in code', 'password leak', 'API key exposure', 'credential security', 'sensitive data in source'
Add an explicit 'Use when...' clause describing scenarios, e.g., 'Use when reviewing code for security issues, auditing repositories for leaked secrets, or when users mention credentials, passwords, or API keys in code'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description only names the skill ('Hardcoded Credential Finder') without describing any concrete actions. It doesn't explain what the skill actually does - no verbs like 'scans', 'detects', 'identifies', or 'reports'. | 1 / 3 |
Completeness | The description fails to answer 'what does this do' (no actions described) and 'when should Claude use it' (no explicit use cases or scenarios). The 'Triggers on' field is not a proper 'Use when...' clause. | 1 / 3 |
Trigger Term Quality | The 'Triggers on' field redundantly lists 'hardcoded credential finder' twice, providing no natural user keywords. Missing terms users would actually say like 'secrets', 'passwords in code', 'API keys', 'sensitive data', or 'credential leak'. | 1 / 3 |
Distinctiveness Conflict Risk | The name 'Hardcoded Credential Finder' is somewhat specific to a security niche, but without describing what it actually does or its scope, it could overlap with other security scanning or code review skills. | 2 / 3 |
Total | 5 / 12 Passed |
Implementation
0%This skill is essentially a placeholder with no actionable content. It describes what a hardcoded credential finder skill would do but provides zero actual guidance on finding credentials - no regex patterns, no file types to scan, no common credential formats, no code examples, and no validation steps. The entire content could be replaced with actual implementation guidance.
Suggestions
Add concrete regex patterns for common credential types (API keys, passwords, tokens) with examples like: `(?i)(password|passwd|pwd)\s*[=:]\s*['"][^'"]+['"]`
Provide a workflow: 1) Define file extensions to scan, 2) Run pattern matching, 3) Filter false positives, 4) Validate findings, 5) Report with file/line references
Include executable code for scanning a directory, such as a Python script using `re` and `pathlib` to find credentials
Add examples of true positives vs false positives to help distinguish real credentials from configuration templates or test fixtures
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is padded with generic boilerplate that explains nothing Claude doesn't already know. Phrases like 'Provides step-by-step guidance' and 'Follows industry best practices' are meaningless filler without actual content. | 1 / 3 |
Actionability | There is zero concrete guidance - no code, no commands, no patterns, no examples of what hardcoded credentials look like or how to find them. The skill describes what it could do rather than instructing how to do it. | 1 / 3 |
Workflow Clarity | No workflow is provided whatsoever. A credential finder skill should include steps like: what patterns to search for, which files to scan, how to validate findings, and how to report results. None of this exists. | 1 / 3 |
Progressive Disclosure | The content is a monolithic block of meta-description with no actual instructional content to organize. There are no references to detailed materials, examples, or related documentation. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
69%Validation — 11 / 16 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
description_trigger_hint | Description may be missing an explicit 'when to use' trigger hint (e.g., 'Use when...') | Warning |
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
metadata_version | 'metadata' field is not a dictionary | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
body_steps | No step-by-step structure detected (no ordered list); consider adding a simple workflow | Warning |
Total | 11 / 16 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.