performing-security-code-review
Execute this skill enables AI assistant to conduct a security-focused code review using the security-agent plugin. it analyzes code for potential vulnerabilities like sql injection, xss, authentication flaws, and insecure dependencies. AI assistant uses this skill wh... Use when assessing security or running audits. Trigger with phrases like 'security scan', 'audit', or 'vulnerability'.
74
70%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Critical
Do not install without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/examples/security-agent/skills/performing-security-code-review/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description covers the key elements: it identifies the domain (security code review), lists specific vulnerability types, and provides explicit trigger guidance. However, it suffers from truncation ('wh...'), uses first/third person inconsistently ('Execute this skill enables AI assistant'), and the opening is awkward. The specificity of concrete actions could be improved beyond just 'analyzes code'.
Suggestions
Fix the truncated text ('AI assistant uses this skill wh...') and rewrite the opening to be cleaner third-person voice, e.g., 'Conducts security-focused code reviews...' instead of 'Execute this skill enables AI assistant to conduct...'
List more concrete actions beyond 'analyzes code', such as 'flags vulnerable dependencies, identifies injection points, recommends remediation steps' to improve specificity.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (security code review) and lists some specific vulnerability types (SQL injection, XSS, authentication flaws, insecure dependencies), but the actions are not fully concrete—it says 'analyzes code' rather than listing distinct operations. The truncation ('wh...') also hurts clarity. | 2 / 3 |
Completeness | The description answers both 'what' (security-focused code review analyzing vulnerabilities like SQL injection, XSS, etc.) and 'when' (explicit 'Use when assessing security or running audits. Trigger with phrases like...'). Both are clearly stated. | 3 / 3 |
Trigger Term Quality | Includes natural trigger terms users would say: 'security scan', 'audit', 'vulnerability', 'sql injection', 'xss', 'authentication flaws', 'insecure dependencies', and 'security-focused code review'. Good coverage of terms a user would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Security-focused code review is a clear niche with distinct triggers ('security scan', 'audit', 'vulnerability'). This is unlikely to conflict with general code review or other non-security skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a well-structured security review framework with clear categories and output format, but falls short on actionability — it describes what to look for without providing the actual grep patterns, regex expressions, or executable scripts needed to perform the scans. The workflow is sequential but lacks validation checkpoints for a process that inherently produces false positives. The content could be more concise by removing explanations of concepts Claude already understands and providing concrete tooling instead.
Suggestions
Add concrete, executable grep/regex patterns for each scan category (e.g., `grep -rn 'AKIA[0-9A-Z]{16}' --include='*.js' .` for AWS key detection) instead of describing what to search for abstractly.
Add a validation/triage step after scanning (e.g., 'Review each finding for false positives by checking if the match is in test fixtures, comments, or documentation before including in the final report').
Move the error handling table and detailed examples into a referenced file (e.g., `references/examples.md`) to keep the main skill lean and focused on the core workflow.
Remove prerequisite items Claude already knows (like 'Familiarity with OWASP Top 10') and trim the overview to avoid restating what the instructions already cover.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is reasonably structured but includes unnecessary context Claude already knows (e.g., 'Familiarity with OWASP Top 10 vulnerability categories' as a prerequisite, explaining what SQL injection and XSS are). The error handling table and examples add bulk that could be tightened. Some sections like 'Overview' restate what the instructions already convey. | 2 / 3 |
Actionability | The instructions describe what to look for but lack executable code or concrete grep commands/patterns. For example, step 2 says 'search for patterns matching API keys' but doesn't provide the actual regex patterns. Step 5 mentions 'npm audit' which is concrete, but most other steps are descriptive rather than copy-paste ready. No actual code snippets for performing the scans. | 2 / 3 |
Workflow Clarity | The seven steps provide a clear sequence for the review process, and the output format is well-defined. However, there are no validation checkpoints or feedback loops — no step says 'verify findings before reporting' or 'if scan produces too many results, narrow scope and re-run.' For a security audit that could produce false positives, missing validation caps this at 2. | 2 / 3 |
Progressive Disclosure | The content is organized into clear sections (Instructions, Output, Error Handling, Examples, Resources) and references external resources including a bundled reference directory. However, the skill is fairly long and monolithic — the error handling table, detailed examples, and all scan categories could be split into referenced files. The reference to '${CLAUDE_SKILL_DIR}/references/README.md' suggests supporting files exist but the main file tries to contain everything. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
c8a915c
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.