brakeman
Static analysis security vulnerability scanner for Ruby on Rails applications. Use when analyzing Rails code for security issues, running security audits, reviewing code for vulnerabilities, setting up security scanning in CI/CD, managing security warnings, or investigating specific vulnerability types (SQL injection, XSS, command injection, etc.). Also use when configuring Brakeman, reducing false positives, or integrating with automated workflows.
68
82%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly identifies its domain (Brakeman/Rails security scanning), lists specific capabilities and vulnerability types, and provides comprehensive trigger guidance via an explicit 'Use when...' clause. It uses proper third-person voice throughout and covers both broad use cases (security audits) and specific ones (reducing false positives, configuring Brakeman). The description is well-structured and would allow Claude to confidently select this skill from a large pool.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: analyzing Rails code for security issues, running security audits, reviewing code for vulnerabilities, setting up security scanning in CI/CD, managing security warnings, configuring Brakeman, reducing false positives, and integrating with automated workflows. | 3 / 3 |
Completeness | Clearly answers both 'what' (static analysis security vulnerability scanner for Ruby on Rails applications) and 'when' with an explicit 'Use when...' clause covering multiple trigger scenarios including security audits, vulnerability types, configuration, and CI/CD integration. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'security audit', 'vulnerabilities', 'SQL injection', 'XSS', 'command injection', 'Rails', 'Brakeman', 'CI/CD', 'false positives', 'security scanning'. These are all terms a developer would naturally use when seeking this kind of help. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: specifically targets Brakeman for Ruby on Rails security scanning. The combination of 'Rails', 'Brakeman', and specific vulnerability types like SQL injection and XSS makes it very unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a comprehensive and actionable Brakeman skill with strong executable examples and good coverage of common workflows. Its main weaknesses are verbosity (could be trimmed by ~30% without losing value) and the lack of explicit validation/feedback loops in multi-step workflows. The progressive disclosure structure is reasonable but the main file carries too much content that could be offloaded to reference files.
Suggestions
Trim the overview paragraph, best practices list, and warning types list — Claude doesn't need explanations of what SQL injection or XSS are, and 10 best practices can be condensed to the 3-4 most non-obvious ones.
Add explicit validation checkpoints to the Common Workflows section, e.g., 'Verify report.json was created and contains expected structure before proceeding' or 'If brakeman exits non-zero, check -d output before adjusting configuration.'
Move the Troubleshooting section and detailed CI/CD integration examples to reference files to reduce the main skill's token footprint.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably well-organized but includes unnecessary explanations Claude already knows (e.g., what Brakeman is, what confidence levels mean conceptually, the overview paragraph). The best practices section is verbose with 10 items that are mostly common sense. The warning types list could be trimmed since it just lists names without actionable detail. | 2 / 3 |
Actionability | The skill provides fully executable, copy-paste ready commands throughout. Installation methods, scan commands, output format flags, configuration YAML examples, CI scripts, and interactive ignore workflows are all concrete and specific. | 3 / 3 |
Workflow Clarity | The workflow decision tree is a nice touch and the 'Common Workflows' section provides sequenced steps. However, the initial security audit workflow and CI/CD workflows lack explicit validation checkpoints or feedback loops (e.g., no 'verify the report was generated correctly' or 'if scan fails to parse, do X'). The interactive ignore workflow does have clear step-by-step guidance with options. | 2 / 3 |
Progressive Disclosure | The skill references three files in a references/ directory (warning_types.md, command_options.md, reducing_false_positives.md) which is good structure, but no bundle files were provided so these references are unverifiable. The main file itself is quite long (~300 lines) with content like the troubleshooting section and extensive best practices that could be split into reference files. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- lucianghinda/superpowers-ruby
- Commit
c037ce3
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.