scanning-input-validation-practices
This skill enables Claude to automatically scan source code for potential input validation vulnerabilities. It identifies areas where user-supplied data is not properly sanitized or validated before being used in operations, which could lead to security exploits like SQL injection, cross-site scripting (XSS), or command injection. Use this skill when the user asks to "scan for input validation issues", "check input sanitization", "find potential XSS vulnerabilities", or similar requests related to securing user input. It is particularly useful during code reviews, security audits, and when hardening applications against common web vulnerabilities. The skill leverages the input-validation-scanner plugin to perform the analysis.
87
53%
Does it follow best practices?
Impact
90%
1.09xAverage score across 12 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./backups/skills-migration-20251108-070147/plugins/security/input-validation-scanner/skills/input-validation-scanner/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly articulates what the skill does (scans source code for input validation vulnerabilities including SQL injection, XSS, and command injection), when to use it (with explicit trigger phrases and use-case contexts), and how it works (via the input-validation-scanner plugin). It uses proper third-person voice throughout and provides enough specificity to distinguish it from other security-related skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description lists multiple specific concrete actions: scanning source code for input validation vulnerabilities, identifying unsanitized user-supplied data, and names specific vulnerability types (SQL injection, XSS, command injection). It also mentions the specific plugin used. | 3 / 3 |
Completeness | Clearly answers both 'what' (scans source code for input validation vulnerabilities, identifies unsanitized user data) and 'when' (explicit 'Use this skill when...' clause with quoted trigger phrases, plus context like code reviews and security audits). | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms users would say: 'scan for input validation issues', 'check input sanitization', 'find potential XSS vulnerabilities', plus broader terms like 'security audits', 'code reviews', 'web vulnerabilities', 'SQL injection', 'command injection'. | 3 / 3 |
Distinctiveness Conflict Risk | The description carves out a clear niche focused specifically on input validation vulnerabilities in source code, with distinct triggers like 'input sanitization', 'XSS vulnerabilities', and 'input-validation-scanner plugin'. This is unlikely to conflict with general code review or other security skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
7%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill content reads like a marketing description rather than actionable instructions. It lacks any concrete commands, code examples, plugin invocation syntax, or expected output formats. The content is padded with explanations of concepts Claude already understands and provides no executable guidance for actually performing an input validation scan.
Suggestions
Add concrete, executable examples showing how to invoke the input-validation-scanner plugin, including exact command syntax, required arguments, and expected output format.
Remove the 'Overview', 'When to Use', and 'Best Practices' sections entirely—they explain concepts Claude already knows and duplicate the skill description metadata.
Include a real example showing sample input code, the scan command, and the resulting vulnerability report so Claude knows exactly what to produce.
Add validation/verification steps: what to do when vulnerabilities are found, how to confirm fixes, and how to re-scan after remediation.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is verbose and explains concepts Claude already knows (what XSS is, what SQL injection is, what input validation means). The 'Overview', 'When to Use', and 'Best Practices' sections are largely redundant with each other and with Claude's existing knowledge. Nearly every section could be cut or drastically shortened. | 1 / 3 |
Actionability | There are no concrete commands, code examples, API calls, or executable instructions. The examples describe what the skill 'will do' in abstract terms rather than showing how to invoke the plugin, what arguments to pass, or what the output looks like. There is no copy-paste ready guidance whatsoever. | 1 / 3 |
Workflow Clarity | The 'How It Works' section lists abstract steps ('Initiate Scan', 'Code Analysis') without any concrete commands, tool invocations, or validation checkpoints. There is no feedback loop for handling scan results, no error recovery, and no actual workflow a user or Claude could follow. | 1 / 3 |
Progressive Disclosure | The content is organized into sections with headers, which provides some structure. However, there are no references to external files, no bundle files to reference, and the content is a monolithic set of vague descriptions that could benefit from splitting actionable details into separate references. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Commit
13d35b8
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.