CtrlK
BlogDocsLog inGet started
Tessl Logo

performing-security-code-review

Execute this skill enables AI assistant to conduct a security-focused code review using the security-agent plugin. it analyzes code for potential vulnerabilities like sql injection, xss, authentication flaws, and insecure dependencies. AI assistant uses this skill wh... Use when assessing security or running audits. Trigger with phrases like 'security scan', 'audit', or 'vulnerability'.

61

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Risky

Do not use without reviewing

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body is a tight, well-structured scan checklist that respects token budget and Claude's intelligence, but it stops short of wiring in the provided executable scripts and lacks explicit validation feedback loops for what is a batch scanning operation.

Suggestions

Reference and actually invoke the bundled scripts from the workflow — e.g. 'Run `${CLAUDE_SKILL_DIR}/scripts/code_analyzer.py <path>` to enumerate files and feed results into step 7' — to make guidance fully executable and use the existing bundle.

Add an explicit validation/checkpoint between scanning and reporting (e.g. 'Before compiling findings, verify each flagged pattern against its surrounding context to filter false positives'), since batch scanning is exactly the operation the rubric wants feedback loops for.

Link the report_template.md asset in the Output section ('Use `${CLAUDE_SKILL_DIR}/assets/report_template.md` as the report skeleton') rather than describing the report format inline.

DimensionReasoningScore

Conciseness

The body is lean and assumes Claude's competence — it lists scan categories, concrete patterns (AKIA..., BEGIN PRIVATE KEY), and severity tiers without explaining what SQL injection or XSS is, so every token earns its place.

3 / 3

Actionability

It gives specific patterns and commands (npm audit, grep patterns), but provides no executable scanning code or copy-paste grep commands in the body — the bundled analyzer script is never invoked, so guidance is actionable but not fully executable.

2 / 3

Workflow Clarity

The seven-step sequence is clearly ordered, but there are no validation checkpoints or verify-then-proceed feedback loops, and the error-handling table is separate from the steps rather than integrated as recovery loops.

2 / 3

Progressive Disclosure

Sections are well-organized and a reference path (${CLAUDE_SKILL_DIR}/references/README.md) is signaled, but the bundled scripts and assets (code_analyzer.py, example_code_*.py, report_template.md) are not referenced from the body, so the existing bundle structure is underutilized.

2 / 3

Total

9

/

12

Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description conveys the right domain and explicit triggers, but its wording is malformed — truncated ('wh...'), grammatically broken, and shifts voice — which undermines specificity and distinctiveness.

Suggestions

Rewrite the description in clean third person, e.g. 'Conducts security-focused code reviews that scan for SQL injection, XSS, authentication flaws, insecure dependencies, and secret exposure. Use when assessing security or running audits — trigger with phrases like security scan, audit, or vulnerability.'

Remove the broken placeholder text ('AI assistant uses this skill wh...') and the first/second-person framing ('Execute this skill enables AI assistant'), which the rubric penalizes for voice.

Drop the implementation detail about the 'security-agent plugin' from the description to sharpen distinctiveness and avoid over-claiming tool coupling.

DimensionReasoningScore

Specificity

The description names the domain (security code review) and specific vulnerability types ('sql injection, xss, authentication flaws, and insecure dependencies'), but is wrapped in broken, first-person-flavored prose ('Execute this skill enables AI assistant', 'AI assistant uses this skill wh...') that obscures the concrete actions.

2 / 3

Completeness

It states what the skill does ('conduct a security-focused code review', analyzing specific vulnerability types) and when to use it ('Use when assessing security or running audits'), satisfying both the what and when requirements with an explicit trigger clause.

3 / 3

Trigger Term Quality

It lists natural trigger phrases a user would actually say ('security scan', 'audit', 'vulnerability') alongside the security domain, giving good coverage of likely user keywords.

3 / 3

Distinctiveness Conflict Risk

The security-audit niche is reasonably distinct, but the garbled phrasing and reliance on the 'security-agent plugin' weaken the clear trigger boundary, leaving some overlap with general code-review skills.

2 / 3

Total

10

/

12

Passed

Validation

87%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation14 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

allowed_tools_field

'allowed-tools' contains unusual tool name(s)

Warning

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

14

/

16

Passed

Repository
jeremylongshore/claude-code-plugins-plus-skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.