android-security-best-practices
Apply Android app security guidance around secrets, storage, network trust, exported components, and least privilege.
57
48%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/android-security-best-practices/SKILL.mdQuality
Discovery
40%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description identifies a clear and distinct domain (Android app security) with relevant sub-topics, giving it good distinctiveness. However, it lacks an explicit 'Use when...' clause, uses a single vague action verb ('Apply'), and misses common user-facing trigger terms like 'API keys', 'permissions', or 'mobile security'. Adding explicit trigger guidance and more concrete actions would significantly improve skill selection accuracy.
Suggestions
Add a 'Use when...' clause such as 'Use when reviewing Android app code for security issues, hardening mobile apps, or when the user mentions API keys, permissions, manifest security, or mobile app vulnerabilities.'
Replace the vague 'Apply...guidance' with specific actions like 'Audit Android apps for hardcoded secrets, insecure storage, improper network trust configuration, overly permissive exported components, and excessive permissions.'
Include additional natural trigger terms users might say, such as 'API keys', 'hardcoded credentials', 'AndroidManifest', 'intent filters', 'permissions', 'mobile security', or 'ProGuard'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (Android app security) and lists several areas (secrets, storage, network trust, exported components, least privilege), but these are topic areas rather than concrete actions. The only verb is 'Apply', which is somewhat vague. | 2 / 3 |
Completeness | Describes what it does (apply Android security guidance across several areas) but has no explicit 'Use when...' clause or equivalent trigger guidance, which per the rubric should cap completeness at 2, and the 'what' is also somewhat weak—it's more of a topic list than a clear capability statement, pushing it to 1. | 1 / 3 |
Trigger Term Quality | Includes relevant keywords like 'Android', 'secrets', 'storage', 'network trust', 'exported components', and 'least privilege' that a security-minded developer might use, but misses common variations like 'permissions', 'API keys', 'hardcoded credentials', 'manifest', 'intent filters', or 'mobile security'. | 2 / 3 |
Distinctiveness Conflict Risk | The combination of 'Android app security' with specific sub-topics like 'exported components' and 'network trust' creates a clear niche that is unlikely to conflict with other skills. This is a well-defined domain. | 3 / 3 |
Total | 8 / 12 Passed |
Implementation
57%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured instructional skill that covers Android security comprehensively with good progressive disclosure and clear organization. Its main weaknesses are the lack of concrete, executable code examples (manifest snippets, Kotlin code for secure patterns) and some redundancy across sections. The workflow would benefit from explicit validation steps and feedback loops rather than the current high-level guidance.
Suggestions
Add concrete XML manifest snippets and Kotlin/Java code examples showing correct patterns (e.g., a properly configured exported component, FileProvider setup, network security config XML) to improve actionability.
Add explicit validation checkpoints in the workflow, such as specific lint checks, gradle tasks, or script commands that verify each step's output before proceeding.
Consolidate overlapping content between Guardrails, Anti-Patterns, Review Focus, and Done Checklist to reduce redundancy—several items (exported components, secrets, network config) appear in nearly identical form across all four sections.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is reasonably efficient but includes some redundancy between sections (e.g., exported components and network security config are mentioned in Workflow, Guardrails, Anti-Patterns, Review Focus, and Done Checklist). The Review Focus section largely restates what's already covered. However, it avoids explaining basic Android concepts Claude would already know. | 2 / 3 |
Actionability | The skill provides grep commands as examples and names specific Android attributes/APIs (FileProvider, networkSecurityConfig, PendingIntent), which is helpful. However, it lacks executable code examples showing correct implementations—no manifest XML snippets, no Kotlin/Java code for secure storage or FileProvider setup, and no concrete before/after examples. The guidance is specific but largely descriptive rather than copy-paste ready. | 2 / 3 |
Workflow Clarity | The 5-step workflow provides a logical sequence (inventory → remove risk → harden → review regressions → validate release), but validation checkpoints are vague ('reproducible checks' without specifying what those are). There's no explicit feedback loop for when issues are found during steps 3-4, and the 'failure recovery' example is about skill handoff rather than actual error recovery in the security review process. | 2 / 3 |
Progressive Disclosure | The skill cleanly references `references/patterns.md` and `references/scenarios.md` for detailed checklists and review paths, with clear signals about when to consult each. Handoff to related skills is well-signaled. The main content stays at overview level with appropriate depth, and external references are one level deep. | 3 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
metadata_field | 'metadata' should map string keys to string values | Warning |
Total | 10 / 11 Passed | |
- Repository
- krutikJain/android-agent-skills
- Commit
c5bf673
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.