performing-security-testing
This skill automates security vulnerability testing. It is triggered when the user requests security assessments, penetration tests, or vulnerability scans. The skill covers OWASP Top 10 vulnerabilities, SQL injection, XSS, CSRF, authentication issues, and authorization flaws. Use this skill when the user mentions "security test", "vulnerability scan", "OWASP", "SQL injection", "XSS", "CSRF", "authentication", or "authorization" in the context of application or API testing.
Install with Tessl CLI
npx tessl i github:jeremylongshore/claude-code-plugins-plus-skills --skill performing-security-testing88
Does it follow best practices?
If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:
npx tessl skill review --optimize ./path/to/skillEvaluation — 93%
↑ 1.03xAgent success when using this skill
Validation for skill structure
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted skill description that excels across all dimensions. It provides specific vulnerability types and testing actions, includes comprehensive natural trigger terms users would actually say, explicitly states both what the skill does and when to use it, and occupies a distinct niche in security testing that minimizes conflict risk with other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions and vulnerability types: 'OWASP Top 10 vulnerabilities, SQL injection, XSS, CSRF, authentication issues, and authorization flaws' along with the core action of 'automates security vulnerability testing'. | 3 / 3 |
Completeness | Clearly answers both what ('automates security vulnerability testing' covering specific vulnerability types) AND when (explicit 'Use this skill when...' clause with specific trigger terms and context). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'security test', 'vulnerability scan', 'OWASP', 'SQL injection', 'XSS', 'CSRF', 'authentication', 'authorization', 'penetration tests', and context of 'application or API testing'. | 3 / 3 |
Distinctiveness Conflict Risk | Clear niche focused on security vulnerability testing with distinct triggers like 'OWASP', 'SQL injection', 'XSS', 'CSRF' that are unlikely to conflict with other skills; the security testing domain is well-defined. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
20%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill content is largely descriptive rather than instructive. It explains what a security testing skill would do conceptually but provides no actual commands, code, configuration, or concrete steps for Claude to execute. The content reads like marketing copy for a plugin rather than actionable guidance for performing security tests.
Suggestions
Replace narrative descriptions with actual executable commands showing how to invoke the security-test-scanner plugin (e.g., `security-test-scanner --target https://api.example.com --tests owasp-top-10`)
Add concrete code examples showing how to configure and run specific vulnerability tests, including expected output formats
Include validation steps and error handling guidance (e.g., 'If scan returns exit code 1, check connection; if exit code 2, review authentication credentials')
Remove the 'How It Works' and 'When to Use This Skill' sections entirely - this information is redundant with the skill description and wastes tokens
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose with unnecessary explanations of what the skill does, when to use it, and how it works. Claude doesn't need sections explaining 'How It Works' or 'When to Use This Skill' - these repeat information Claude already has from the description. The content explains concepts rather than providing actionable instructions. | 1 / 3 |
Actionability | No concrete code, commands, or executable guidance provided. The skill describes what 'the plugin will do' abstractly but never shows actual commands, API calls, configuration, or how to invoke the security-test-scanner plugin. Examples are narrative descriptions, not actionable instructions. | 1 / 3 |
Workflow Clarity | Steps are listed (1, 2, 3) but they're vague ('Activate the plugin', 'Execute tests'). No validation checkpoints, no error handling, no feedback loops for when scans fail or produce false positives. Missing critical details like how to handle scan failures or interpret ambiguous results. | 2 / 3 |
Progressive Disclosure | Content is organized into sections but everything is inline with no references to detailed documentation. The 'Integration' section mentions CI/CD and reporting tools but provides no links or details. For a security testing skill, there should be references to detailed vulnerability guides, remediation docs, or configuration references. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.