performing-security-testing
This skill automates security vulnerability testing. It is triggered when the user requests security assessments, penetration tests, or vulnerability scans. The skill covers OWASP Top 10 vulnerabilities, SQL injection, XSS, CSRF, authentication issues, and authorization flaws. Use this skill when the user mentions "security test", "vulnerability scan", "OWASP", "SQL injection", "XSS", "CSRF", "authentication", or "authorization" in the context of application or API testing.
87
53%
Does it follow best practices?
Impact
93%
1.06xAverage score across 9 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./backups/skills-migration-20251108-070147/plugins/testing/security-test-scanner/skills/security-test-scanner/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that excels across all dimensions. It provides specific capabilities, comprehensive trigger terms that users would naturally use, explicit 'when to use' guidance, and a clearly distinct niche. The description uses proper third-person voice and is well-structured without unnecessary verbosity.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description lists multiple specific concrete actions and vulnerability types: OWASP Top 10, SQL injection, XSS, CSRF, authentication issues, and authorization flaws. It clearly names the domain (security vulnerability testing) and enumerates specific coverage areas. | 3 / 3 |
Completeness | Clearly answers both 'what' (automates security vulnerability testing covering OWASP Top 10, SQL injection, XSS, CSRF, authentication, authorization) and 'when' (explicit 'Use this skill when...' clause with specific trigger terms and context of application or API testing). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms users would say: 'security test', 'vulnerability scan', 'OWASP', 'SQL injection', 'XSS', 'CSRF', 'authentication', 'authorization', 'penetration tests', 'security assessments'. These are terms users would naturally use when requesting this type of work. | 3 / 3 |
Distinctiveness Conflict Risk | The description carves out a clear niche in security vulnerability testing with highly specific trigger terms like 'OWASP', 'SQL injection', 'XSS', 'CSRF' that are unlikely to conflict with other skills. The context qualifier 'in the context of application or API testing' further narrows the scope. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
7%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is essentially a high-level description of what a security testing tool would do, rather than actionable instructions for Claude. It lacks any concrete commands, code examples, tool invocation syntax, or output formats. The repeated references to a 'security-test-scanner plugin' without any specification of how to use it renders the skill non-functional.
Suggestions
Replace abstract descriptions with concrete, executable commands showing how to invoke the security-test-scanner plugin, including exact syntax, required arguments, and expected output format.
Add a real input/output example showing the actual command to run and a sample report or output JSON so Claude knows what to produce.
Remove the 'When to Use This Skill', 'Best Practices', and 'Integration' sections — these are generic filler that waste tokens without adding actionable guidance.
Add validation/error-handling steps: what to do when the scanner fails, how to verify results, and how to handle authentication errors or scope misconfigurations.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is verbose and explains things Claude already knows (what OWASP Top 10 is, what SQL injection is, what security testing means). The 'When to Use This Skill' section redundantly restates the description. 'Best Practices' and 'Integration' sections add generic advice that doesn't provide actionable, skill-specific value. | 1 / 3 |
Actionability | The skill provides no concrete code, commands, or executable guidance. It repeatedly references a 'security-test-scanner plugin' without showing how to invoke it, what arguments it takes, what its output format looks like, or any actual commands. The examples describe what 'the skill will do' in abstract terms rather than providing concrete steps Claude can execute. | 1 / 3 |
Workflow Clarity | The workflow steps are vague ('Activate the security-test-scanner plugin', 'Execute tests', 'Generate report') with no concrete commands, no validation checkpoints, no error handling, and no feedback loops. Security testing is a domain where validation and error recovery are critical, yet none are addressed. | 1 / 3 |
Progressive Disclosure | The content is organized into logical sections with clear headers, which provides some structure. However, there are no references to external files, no bundle files exist, and content that could be separated (e.g., detailed test configurations, report formats) is neither inline nor referenced. The organization is reasonable but the content itself is too shallow to benefit from progressive disclosure. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Commit
13d35b8
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.