scanning-database-security
Process use when you need to work with security and compliance. This skill provides security scanning and vulnerability detection with comprehensive guidance and automation. Trigger with phrases like "scan for vulnerabilities", "implement security controls", or "audit security".
68
62%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/database/database-security-scanner/skills/scanning-database-security/SKILL.mdQuality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description covers the basics of what the skill does and when to use it, including explicit trigger phrases. However, it suffers from vague filler language ('comprehensive guidance and automation'), lacks specificity in concrete actions, and the opening sentence is awkwardly phrased ('Process use when you need to work with security and compliance'). The domain is broad enough to risk overlap with other security-related skills.
Suggestions
Replace vague phrases like 'comprehensive guidance and automation' with specific concrete actions (e.g., 'scan code for CVEs, check dependency vulnerabilities, generate compliance reports, enforce security policies').
Expand trigger terms to include more natural user language variations such as 'CVE', 'security review', 'penetration test', 'compliance audit', 'OWASP', '.sarif files'.
Fix the awkward opening sentence ('Process use when you need to...') to use proper third-person voice describing the skill's purpose clearly.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (security and compliance) and mentions some actions like 'security scanning' and 'vulnerability detection', but these are fairly broad and not comprehensively listed as concrete, distinct actions. 'Comprehensive guidance and automation' is vague filler. | 2 / 3 |
Completeness | The description answers both 'what' (security scanning and vulnerability detection) and 'when' (explicit trigger phrases and a 'Use when' equivalent in the first line). It has explicit trigger guidance with example phrases. | 3 / 3 |
Trigger Term Quality | Includes some relevant trigger phrases like 'scan for vulnerabilities', 'implement security controls', and 'audit security', which are reasonable terms users might say. However, it misses many common variations like 'CVE', 'penetration test', 'compliance check', 'OWASP', 'security review', or specific file/tool references. | 2 / 3 |
Distinctiveness Conflict Risk | While 'security scanning' and 'vulnerability detection' are somewhat specific, the broad framing of 'security and compliance' could overlap with other security-related skills (e.g., a compliance-specific skill, a code review skill, or a DevSecOps skill). The triggers help but the domain is still quite wide. | 2 / 3 |
Total | 9 / 12 Passed |
Implementation
57%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides highly actionable, concrete guidance for database security auditing with executable SQL queries and specific configuration checks across multiple database systems. Its main weaknesses are the monolithic structure that could benefit from splitting database-specific content into separate files, and the lack of explicit validation checkpoints between scanning and remediation phases. The content is substantive but could be more concise by removing the resources section and tightening the examples.
Suggestions
Split database-specific queries and configurations into separate referenced files (e.g., POSTGRESQL.md, MYSQL.md, MONGODB.md) to improve progressive disclosure and reduce the monolithic structure.
Add explicit validation checkpoints after remediation steps, such as 're-run privilege audit query to confirm SUPERUSER was revoked' and 'verify SSL is active with SHOW ssl after configuration change'.
Trim the Resources section (Claude can find these URLs) and condense the Examples section to save tokens while preserving the actionable query content.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is fairly comprehensive but includes some verbosity that could be tightened. The examples section restates concepts already covered in the instructions, and the resources section lists URLs that Claude could look up. However, most content is substantive and not explaining things Claude already knows. | 2 / 3 |
Actionability | The skill provides specific, executable SQL queries for each audit step, concrete grep patterns for SQL injection scanning, specific configuration parameters to check, and exact remediation commands. The guidance is copy-paste ready with real queries against system catalogs. | 3 / 3 |
Workflow Clarity | The 10 steps provide a clear sequence for the audit process, but there are no explicit validation checkpoints or feedback loops. For a security scanning workflow that could involve destructive remediation scripts, there should be validation steps between scanning and applying fixes, and verification that remediations were applied correctly. | 2 / 3 |
Progressive Disclosure | The content is a monolithic wall of text with no references to separate files. The detailed SQL queries for three different database systems, compliance framework mappings, error handling, and examples are all inline. Database-specific guidance, remediation templates, and compliance checklists would benefit from being split into separate referenced files. | 1 / 3 |
Total | 8 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
c8a915c
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.