performing-security-code-review
Execute this skill enables AI assistant to conduct a security-focused code review using the security-agent plugin. it analyzes code for potential vulnerabilities like sql injection, xss, authentication flaws, and insecure dependencies. AI assistant uses this skill wh... Use when assessing security or running audits. Trigger with phrases like 'security scan', 'audit', or 'vulnerability'.
74
70%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Critical
Do not install without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/examples/security-agent/skills/performing-security-code-review/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description covers the essential elements: it identifies the domain (security code review), lists some vulnerability types, and includes explicit trigger guidance. However, it has notable quality issues: the text appears truncated ('wh...'), uses first-person framing ('AI assistant'), and the opening 'Execute this skill enables AI assistant' is awkward and non-standard. The specificity of concrete actions could be improved.
Suggestions
Fix the truncated text ('AI assistant uses this skill wh...') and rewrite in proper third-person voice describing actions (e.g., 'Analyzes code for vulnerabilities...' rather than 'enables AI assistant to conduct...').
List more concrete actions beyond 'analyzes code', such as 'scans dependencies for known CVEs, identifies injection points, generates remediation recommendations'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (security code review) and lists some specific vulnerability types (SQL injection, XSS, authentication flaws, insecure dependencies), but the actions are not fully concrete—it says 'analyzes code' rather than listing distinct operations like 'scan dependencies, flag injection points, generate remediation reports'. | 2 / 3 |
Completeness | The description answers both 'what' (security-focused code review analyzing vulnerabilities like SQL injection, XSS, etc.) and 'when' (explicit 'Use when assessing security or running audits. Trigger with phrases like...'). Both are clearly stated. | 3 / 3 |
Trigger Term Quality | Includes natural trigger terms users would say: 'security scan', 'audit', 'vulnerability', 'sql injection', 'xss', 'authentication flaws', 'insecure dependencies', and 'security-focused code review'. Good coverage of terms a user would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | The description is clearly scoped to security-focused code review and vulnerability analysis, which is a distinct niche. The specific mention of the security-agent plugin and vulnerability types like SQL injection and XSS make it unlikely to conflict with general code review or other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a well-structured checklist for security code review with clear categories and a useful output format specification. However, it lacks concrete executable examples (grep patterns, regex for secrets, actual code snippets) that would make it truly actionable, and the workflow lacks validation checkpoints. The content is moderately verbose with some information Claude already knows (OWASP categories, what SQL injection is).
Suggestions
Add concrete grep/regex patterns for secret detection (e.g., `grep -rn 'AKIA[0-9A-Z]{16}' .`) and SQL injection scanning instead of describing what to look for in prose.
Integrate validation checkpoints into the workflow, such as 'After scanning for secrets, verify each match is not a test fixture or documentation example before classifying severity.'
Remove explanatory content Claude already knows (e.g., what SQL injection, XSS, and OWASP are) and replace with specific, executable detection commands and patterns.
Either provide the referenced `${CLAUDE_SKILL_DIR}/references/README.md` bundle file or remove the dead reference from the Resources section.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill includes some unnecessary verbosity—'Familiarity with OWASP Top 10 vulnerability categories' is something Claude already knows, and the overview restates what the instructions already convey. The error handling table and examples add useful but somewhat padded content. Could be tightened by ~30%. | 2 / 3 |
Actionability | The instructions describe what to look for but lack executable code or concrete commands beyond 'npm audit'. There are no grep patterns, no regex examples for secret detection, no code snippets showing how to actually perform the scans. The examples section describes processes in prose rather than providing executable steps. | 2 / 3 |
Workflow Clarity | The seven steps are clearly sequenced and the final compilation step is logical. However, there are no validation checkpoints or feedback loops—no step says 'verify findings before reporting' or 'if no vulnerabilities found in category X, skip to next.' The false positive handling is only in the error table, not integrated into the workflow. | 2 / 3 |
Progressive Disclosure | The content references `${CLAUDE_SKILL_DIR}/references/README.md` but no bundle files exist, making this a dead reference. The skill is somewhat monolithic—the error handling table, examples, and resources could potentially be split out. The section structure is reasonable but the inline content is heavy for a single SKILL.md with no supporting files. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
3a2d27d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.