performing-security-code-review
Execute this skill enables AI assistant to conduct a security-focused code review using the security-agent plugin. it analyzes code for potential vulnerabilities like sql injection, xss, authentication flaws, and insecure dependencies. AI assistant uses this skill wh... Use when assessing security or running audits. Trigger with phrases like 'security scan', 'audit', or 'vulnerability'.
59
70%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/examples/security-agent/skills/performing-security-code-review/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description covers the security code review domain reasonably well with explicit trigger terms and a clear 'Use when' clause. However, it suffers from a truncation issue ('wh...'), uses first/third person inconsistently ('Execute this skill enables AI assistant'), and could list more concrete actions beyond 'analyzes code'. The trigger terms and completeness are strong points.
Suggestions
Fix the truncated text ('AI assistant uses this skill wh...') to complete the sentence and ensure the full description is readable.
Rewrite to use consistent third-person voice throughout (e.g., 'Conducts security-focused code review...' instead of 'Execute this skill enables AI assistant to conduct...').
List more specific concrete actions beyond 'analyzes code', such as 'flags insecure dependencies, detects injection points, reports authentication weaknesses'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (security code review) and lists some specific vulnerability types (SQL injection, XSS, authentication flaws, insecure dependencies), but the actions are not fully concrete—it says 'analyzes code' rather than listing distinct operations. The truncation ('wh...') also hurts clarity. | 2 / 3 |
Completeness | The description answers both 'what' (security-focused code review analyzing vulnerabilities) and 'when' (explicit 'Use when assessing security or running audits' clause with trigger phrases). Despite the truncation, both components are present. | 3 / 3 |
Trigger Term Quality | Includes natural trigger terms users would say: 'security scan', 'audit', 'vulnerability', plus domain terms like 'SQL injection', 'XSS', 'authentication flaws', and 'insecure dependencies'. Good coverage of terms a user would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | The security code review niche is clearly defined with specific triggers like 'security scan', 'audit', and 'vulnerability'. This is unlikely to conflict with general code review or other non-security skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a reasonable high-level framework for security code review but falls short on actionability — it describes what to look for without providing the concrete grep patterns, regex expressions, or executable commands needed to actually perform the scans. The workflow is sequential but lacks validation checkpoints and feedback loops important for security auditing. The content is moderately concise but explains some concepts Claude already understands well.
Suggestions
Add concrete grep commands and regex patterns for each scan category (e.g., `grep -rn 'AKIA[0-9A-Z]{16}' --include='*.js' .` for AWS key detection) to make the skill truly executable.
Add a validation/verification step after scanning — e.g., 'Review each finding in context before including in the final report; confirm the flagged code is reachable and not in test fixtures.'
Remove explanatory content Claude already knows (e.g., what SQL injection or XSS is) and replace with terse pattern-matching rules and specific code patterns to flag.
Either provide the referenced `${CLAUDE_SKILL_DIR}/references/README.md` bundle file or remove the broken reference from the Resources section.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is reasonably structured but includes unnecessary preamble (e.g., 'Familiarity with OWASP Top 10 vulnerability categories' as a prerequisite for Claude, explaining what each vulnerability type is). The error handling table and examples add bulk that could be tightened. Some sections explain concepts Claude already knows well (what SQL injection is, what XSS is). | 2 / 3 |
Actionability | The instructions describe what to look for but lack concrete executable commands or code patterns. For example, step 2 says 'search for patterns matching API keys' but provides no grep commands or regex patterns. The dependency audit mentions 'npm audit' which is concrete, but most other steps are descriptive rather than executable. No actual grep commands, regex patterns, or code snippets are provided for the scanning steps. | 2 / 3 |
Workflow Clarity | The seven steps provide a clear sequence for the review process, and the output format is well-defined. However, there are no validation checkpoints or feedback loops — no step to verify findings before reporting, no iterative refinement, and no explicit checkpoint between scanning and report generation. For a security audit that could produce false positives, missing verification loops is a notable gap. | 2 / 3 |
Progressive Disclosure | The content references `${CLAUDE_SKILL_DIR}/references/README.md` but no bundle files exist, making this a broken reference. The skill is somewhat monolithic — the error handling table, examples, and resources could potentially be split out. External links to OWASP and CWE are helpful but the overall structure is flat rather than layered. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
4801da6
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.