CtrlK
BlogDocsLog inGet started
Tessl Logo

scanning-database-security

Process use when you need to work with security and compliance. This skill provides security scanning and vulnerability detection with comprehensive guidance and automation. Trigger with phrases like "scan for vulnerabilities", "implement security controls", or "audit security".

66

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Advisory

Suggest reviewing before use

SKILL.md
Quality
Evals
Security

Quality

Content

80%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body is highly actionable and lean, with concrete executable SQL and grep guidance for a multi-database audit. Its main gaps are missing validation/feedback checkpoints in the workflow and failure to leverage the bundled scripts and assets via clear one-level-deep references.

Suggestions

Add explicit validation checkpoints to the workflow (e.g., verify/confirm findings before report generation, and test remediation scripts in a staging session before applying).

Reference the bundled scripts and assets (e.g., 'See scripts/database_scan.py to run the scan', 'See assets/report_template.html for report output') instead of keeping everything inline.

Split the per-database SQL details or the SQL injection scanning into a reference file to reduce the monolithic Instructions section and improve navigation.

DimensionReasoningScore

Conciseness

The body goes straight to actionable checks with concrete SQL and grep patterns and assumes Claude's competence (no 'what is SQL injection' explanations); not a 2 because there is no concept-explanation padding, though the narrative Examples section is slightly looser.

3 / 3

Actionability

It supplies copy-paste-ready, executable commands throughout (e.g. 'SELECT r.rolname, r.rolsuper ... FROM pg_roles r WHERE r.rolcanlogin = true', 'SHOW ssl', concrete grep patterns); not below 3 because guidance is specific and executable rather than abstract.

3 / 3

Workflow Clarity

Steps 1-10 are clearly sequenced, but there are no explicit validation/verification checkpoints or validate->fix->retry feedback loops, and database operations plus destructive remediation script generation warrant them; not a 1 because the sequence is clear and an error-handling table exists, but capped at 2 per the database-operations feedback-loop rule.

2 / 3

Progressive Disclosure

The body is well-sectioned (Overview, Prerequisites, Instructions, Output, Error Handling, Examples, Resources) but monolithic, and provided bundle files (scripts/database_scan.py, assets/report_template.html) are never referenced or linked; not a 1 because organization is reasonable, but not a 3 because content that could be split out stays inline and bundle files are unused.

2 / 3

Total

10

/

12

Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description answers what and when with natural trigger phrases, but is weakened by generic security language that omits 'database', vague fluff ('comprehensive guidance and automation'), and a malformed opening ('Process use when...'). It is functional but not distinctive enough for a database-specific skill.

Suggestions

Add 'database' / 'PostgreSQL, MySQL, MongoDB' to the description so it is clearly distinguishable from generic or web/network security skills.

Replace 'comprehensive guidance and automation' fluff with specific concrete actions (e.g., 'audit user privileges, check encryption, scan for SQL injection, review logging').

Fix the malformed opening ('Process use when you need to work with security and compliance.') into clean third-person voice.

DimensionReasoningScore

Specificity

It names the security/compliance domain and two fairly generic actions ('security scanning and vulnerability detection') but pads them with fluff ('comprehensive guidance and automation') rather than listing multiple specific concrete actions; not a 3 because the actions are broad and not a 1 because the domain and core actions are stated.

2 / 3

Completeness

It answers both what ('security scanning and vulnerability detection') and when ('use when you need to work with security and compliance' plus explicit trigger phrases); not a 2 because an explicit 'Use when' clause and triggers are present.

3 / 3

Trigger Term Quality

It provides natural trigger phrases a user would actually say — 'scan for vulnerabilities', 'implement security controls', 'audit security' — giving good coverage of likely phrasings; not below 3 because the terms are natural and varied.

3 / 3

Distinctiveness Conflict Risk

The description never mentions 'database', so generic 'security'/'audit security' triggers could overlap with web or network security skills; not a 1 because it is narrowed to security/compliance scanning, but not a 3 because it lacks a clear database-specific niche.

2 / 3

Total

10

/

12

Passed

Validation

87%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation14 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

allowed_tools_field

'allowed-tools' contains unusual tool name(s)

Warning

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

14

/

16

Passed

Repository
jeremylongshore/claude-code-plugins-plus-skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.