scanning-database-security
Process use when you need to work with security and compliance. This skill provides security scanning and vulnerability detection with comprehensive guidance and automation. Trigger with phrases like "scan for vulnerabilities", "implement security controls", or "audit security".
54
62%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/database/database-security-scanner/skills/scanning-database-security/SKILL.mdQuality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description covers the basics of what the skill does and when to use it, including explicit trigger phrases. However, it suffers from moderate vagueness—terms like 'comprehensive guidance and automation' are fluffy and non-specific. The opening sentence 'Process use when you need to work with security and compliance' is grammatically awkward and reads more like a template placeholder than a polished description.
Suggestions
Replace vague phrases like 'comprehensive guidance and automation' with specific concrete actions (e.g., 'scan dependencies for CVEs, check configurations against CIS benchmarks, generate compliance reports').
Expand trigger terms to include more natural user phrases and common variations like 'CVE', 'security review', 'compliance check', 'OWASP', 'penetration test', or specific tool names.
Fix the awkward opening sentence—rewrite in clear third person voice describing what the skill does, e.g., 'Performs security scanning and vulnerability detection for codebases and infrastructure configurations.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (security and compliance) and mentions some actions like 'security scanning', 'vulnerability detection', and 'automation', but these are fairly broad and not concrete specific actions like 'scan Docker images for CVEs' or 'generate SBOM reports'. | 2 / 3 |
Completeness | The description answers both 'what' (security scanning, vulnerability detection, guidance and automation) and 'when' (explicit trigger phrases and a 'Use when' equivalent in the first sentence). Both components are present and explicit. | 3 / 3 |
Trigger Term Quality | It includes some relevant trigger phrases like 'scan for vulnerabilities', 'implement security controls', and 'audit security', which are reasonable terms users might say. However, it misses many common variations like 'CVE', 'penetration test', 'compliance check', 'OWASP', 'security review', or specific file/tool references. | 2 / 3 |
Distinctiveness Conflict Risk | While 'security and compliance' is a recognizable domain, the description is broad enough that it could overlap with more specific security skills (e.g., a dedicated dependency scanning skill or a compliance-specific skill). The triggers help but are still fairly general within the security domain. | 2 / 3 |
Total | 9 / 12 Passed |
Implementation
57%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides highly actionable and concrete security audit guidance with executable SQL queries and specific configuration checks across multiple database systems. However, it suffers from being a monolithic document that would benefit significantly from splitting database-specific content, remediation templates, and compliance mappings into separate files. The workflow lacks explicit validation checkpoints and feedback loops, which is a notable gap for security-sensitive operations involving privilege changes and configuration modifications.
Suggestions
Split database-specific audit queries and configurations into separate files (e.g., POSTGRESQL.md, MYSQL.md, MONGODB.md) and reference them from the main skill for better progressive disclosure
Add explicit validation checkpoints after remediation steps, e.g., 'After revoking SUPERUSER, verify with: SELECT rolname, rolsuper FROM pg_roles WHERE rolname = target_user' to create feedback loops
Move the remediation script templates and compliance mapping tables into separate referenced files to reduce the main document size
Remove the Resources section with external URLs that Claude cannot access during execution, or replace with guidance on where to find version-specific CVE information in local documentation
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is fairly detailed and mostly earns its tokens with specific queries and commands, but includes some unnecessary padding like the Resources section with URLs Claude can't access, verbose error handling table entries, and the Examples section that restates concepts already covered in the instructions. The Prerequisites section explaining compliance frameworks is also somewhat unnecessary. | 2 / 3 |
Actionability | The skill provides concrete, executable SQL queries for each audit step (e.g., querying pg_roles, information_schema, checking pg_hba.conf settings), specific configuration parameters to check, grep patterns for SQL injection scanning, and exact remediation commands. The guidance is specific and copy-paste ready. | 3 / 3 |
Workflow Clarity | The 10 steps provide a clear sequence for the audit process, but there are no explicit validation checkpoints or feedback loops. For a security scanning workflow that could involve destructive remediation scripts, there should be verification steps (e.g., 'verify privilege revocation succeeded', 'test connectivity after SSL enforcement'). The workflow is linear without error recovery loops. | 2 / 3 |
Progressive Disclosure | The content is a monolithic wall of text with no references to supporting files despite being a complex, multi-database security scanning skill. Database-specific configurations, remediation script templates, compliance mapping tables, and detailed examples could all be split into separate referenced files. Everything is inline in one long document. | 1 / 3 |
Total | 8 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
4801da6
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.