scanning-database-security
Process use when you need to work with security and compliance. This skill provides security scanning and vulnerability detection with comprehensive guidance and automation. Trigger with phrases like "scan for vulnerabilities", "implement security controls", or "audit security".
68
62%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/database/database-security-scanner/skills/scanning-database-security/SKILL.mdQuality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description covers the basics of what the skill does and when to use it, including explicit trigger phrases. However, it suffers from moderate vagueness—terms like 'comprehensive guidance and automation' are fluffy and non-specific. The opening sentence 'Process use when you need to work with security and compliance' is grammatically awkward and reads more like a malformed instruction than a clear description.
Suggestions
Replace vague phrases like 'comprehensive guidance and automation' with specific concrete actions (e.g., 'scan dependencies for CVEs, check configurations against CIS benchmarks, generate compliance reports').
Expand trigger terms to include more natural user language variations such as 'CVE', 'security review', 'compliance check', 'SAST', 'dependency audit', or specific frameworks like 'OWASP' or 'SOC2'.
Fix the awkward opening sentence to use proper third-person voice describing the skill's purpose clearly, e.g., 'Performs security scanning and vulnerability detection for codebases and infrastructure.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (security and compliance) and mentions some actions like 'security scanning', 'vulnerability detection', and 'automation', but these are fairly broad and not concrete specific actions like 'scan Docker images for CVEs' or 'generate SBOM reports'. | 2 / 3 |
Completeness | The description answers both 'what' (security scanning, vulnerability detection, guidance and automation) and 'when' (explicit trigger phrases and a 'Use when' equivalent in the first sentence). Both components are present and explicit. | 3 / 3 |
Trigger Term Quality | It includes some relevant trigger phrases like 'scan for vulnerabilities', 'implement security controls', and 'audit security', which are reasonable terms users might say. However, it misses many common variations like 'CVE', 'penetration test', 'compliance check', 'OWASP', 'security review', or specific file/tool references. | 2 / 3 |
Distinctiveness Conflict Risk | While 'security and compliance' is a recognizable domain, the description is broad enough that it could overlap with more specific security skills (e.g., a dedicated dependency scanning skill or a compliance-specific skill). The triggers help but are still fairly general within the security domain. | 2 / 3 |
Total | 9 / 12 Passed |
Implementation
57%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides highly actionable, concrete security audit guidance with executable SQL queries and specific configuration checks across multiple database engines. Its main weaknesses are the monolithic structure—covering three database engines, compliance frameworks, SQL injection scanning, and remediation all in one file—and the lack of explicit validation checkpoints in the workflow. The content would be significantly improved by splitting into focused sub-files and adding verify/rollback steps.
Suggestions
Split database-specific audit queries and remediation into separate reference files (e.g., POSTGRESQL_AUDIT.md, MYSQL_AUDIT.md, MONGODB_AUDIT.md) and reference them from the main skill with clear navigation links.
Add explicit validation checkpoints between steps, especially before remediation actions—e.g., 'Before revoking privileges, verify application connectivity with reduced permissions in a staging environment.'
Move the compliance framework mapping (SOC 2, HIPAA, PCI-DSS) into a separate COMPLIANCE_MAPPING.md file, keeping only a brief reference in the main skill.
Add a rollback/safety section for destructive remediation steps like revoking superuser privileges or changing authentication methods.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is fairly detailed and covers a lot of ground, but includes some unnecessary verbosity—the examples section restates concepts already clear from the instructions, and the resources section lists URLs that Claude already knows about. The error handling table, while useful, could be more concise. However, most content is substantive and not padded with basic explanations. | 2 / 3 |
Actionability | The skill provides specific, executable SQL queries for each audit step, concrete grep patterns for SQL injection scanning, specific configuration parameters to check, and exact remediation commands. The guidance is copy-paste ready and covers PostgreSQL, MySQL, and MongoDB with concrete examples throughout. | 3 / 3 |
Workflow Clarity | The 10 steps provide a clear sequence for the audit process, but there are no explicit validation checkpoints or feedback loops between steps. For a security scanning workflow that could involve destructive remediation (revoking privileges, changing authentication), there should be explicit verify-before-proceeding gates and rollback guidance. | 2 / 3 |
Progressive Disclosure | The skill is a monolithic wall of text with no references to supporting files. Given the breadth of content (3 database engines, SQL injection scanning, compliance mapping, remediation scripts, hardened config templates), this content would benefit enormously from being split into separate files for each database engine, compliance mappings, and remediation templates. Everything is inline in a single long document. | 1 / 3 |
Total | 8 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
3a2d27d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.