performing-security-code-review
Execute this skill enables AI assistant to conduct a security-focused code review using the security-agent plugin. it analyzes code for potential vulnerabilities like sql injection, xss, authentication flaws, and insecure dependencies. AI assistant uses this skill wh... Use when assessing security or running audits. Trigger with phrases like 'security scan', 'audit', or 'vulnerability'.
Install with Tessl CLI
npx tessl i github:jeremylongshore/claude-code-plugins-plus-skills --skill performing-security-code-review51
Does it follow best practices?
If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:
npx tessl skill review --optimize ./path/to/skillValidation for skill structure
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description effectively communicates its security-focused purpose with good trigger terms and explicit usage guidance. The main weakness is the truncated text ('wh...') which suggests incomplete content, and the use of 'AI assistant' rather than third-person action verbs reduces clarity. The description would benefit from completing the truncated portion and using more direct action-oriented language.
Suggestions
Complete the truncated text to ensure the full description is visible and coherent
Rewrite to use third-person action verbs (e.g., 'Conducts security-focused code review' instead of 'enables AI assistant to conduct')
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (security-focused code review) and lists some specific vulnerabilities (SQL injection, XSS, authentication flaws, insecure dependencies), but the description is truncated and doesn't comprehensively list all actions the skill performs. | 2 / 3 |
Completeness | Explicitly answers both what (security-focused code review analyzing vulnerabilities) and when (with explicit 'Use when...' clause and trigger phrases). Despite truncation, the essential components are present. | 3 / 3 |
Trigger Term Quality | Includes good natural trigger terms users would say: 'security scan', 'audit', 'vulnerability', plus domain terms like 'SQL injection', 'XSS'. These are terms users would naturally use when needing this skill. | 3 / 3 |
Distinctiveness Conflict Risk | Clear security niche with distinct triggers ('security scan', 'audit', 'vulnerability'). Unlikely to conflict with general code review or other skills due to specific security focus and explicit trigger terms. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
7%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill content is largely boilerplate with minimal actionable guidance. It explains what a security review is and describes abstract workflows without providing any concrete plugin invocation syntax, actual commands, or executable examples. The content would fail to help Claude actually perform a security scan because it lacks the specific technical details needed to use the security-agent plugin.
Suggestions
Add concrete plugin invocation syntax showing exactly how to call the security-agent plugin with specific parameters and code input
Replace abstract examples with actual code snippets showing vulnerable code and the expected security report output format
Remove explanatory sections like 'Overview', 'How It Works', and 'When to Use' - Claude understands these concepts; focus on the specific commands and parameters
Add a clear workflow with validation steps: how to invoke the scan, how to interpret results, what to do if the scan fails or finds issues
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose with extensive explanation of concepts Claude already knows. Sections like 'Overview', 'How It Works', 'When to Use This Skill', and 'Integration' explain obvious concepts without adding actionable value. The content is heavily padded with generic descriptions. | 1 / 3 |
Actionability | No concrete code, commands, or executable guidance provided. Examples describe what 'the skill will' do abstractly rather than showing actual plugin invocation syntax, API calls, or specific commands. The 'Instructions' section is completely generic and non-actionable. | 1 / 3 |
Workflow Clarity | No clear workflow for invoking the security-agent plugin. Steps like 'Invoke this skill when trigger conditions are met' and 'Provide necessary context' are vague placeholders. No validation checkpoints, no specific parameters, no feedback loops for handling scan results. | 1 / 3 |
Progressive Disclosure | Content is organized into sections with headers, but it's a monolithic document with no references to external files for detailed information. The structure exists but contains mostly filler content that could be condensed significantly. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 13 / 16 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
metadata_version | 'metadata' field is not a dictionary | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 13 / 16 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.