appsec-expert
Elite Application Security engineer specializing in secure SDLC, OWASP Top 10 2025, SAST/DAST/SCA integration, threat modeling (STRIDE), and vulnerability remediation. Expert in security testing, cryptography, authentication patterns, and DevSecOps automation. Use when securing applications, implementing security controls, or conducting security assessments.
86
85%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
85%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong description with excellent specificity and completeness, including an explicit 'Use when' clause. The main weakness is the heavy reliance on technical jargon (STRIDE, SAST/DAST/SCA) which users may not naturally use when requesting security help. The first-person framing 'Elite Application Security engineer' and 'Expert in' reads more like a resume than a skill description, though it uses third person for actions.
Suggestions
Add natural language trigger terms users would actually say, such as 'security review', 'code audit', 'find vulnerabilities', 'secure my code', or 'penetration testing'
Expand the 'Use when' clause to include more user-facing scenarios like 'reviewing code for security issues' or 'hardening an application before deployment'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions and domains: 'secure SDLC, OWASP Top 10 2025, SAST/DAST/SCA integration, threat modeling (STRIDE), vulnerability remediation, security testing, cryptography, authentication patterns, DevSecOps automation.' | 3 / 3 |
Completeness | Clearly answers both what ('secure SDLC, OWASP Top 10, threat modeling...') and when ('Use when securing applications, implementing security controls, or conducting security assessments'). | 3 / 3 |
Trigger Term Quality | Contains relevant technical keywords (OWASP, SAST, DAST, threat modeling, STRIDE) but these are jargon-heavy. Missing natural user terms like 'security review', 'code audit', 'fix vulnerabilities', 'pen test', or 'secure my app'. | 2 / 3 |
Distinctiveness Conflict Risk | Clear niche in application security with distinct triggers like OWASP, STRIDE, SAST/DAST/SCA that are unlikely to conflict with general coding or DevOps skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
85%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong, actionable security skill with excellent code examples, clear TDD workflows, and good progressive disclosure to reference files. The main weakness is some redundancy (duplicate sections for expertise and core principles) and the lengthy anti-hallucination protocol that, while useful, adds significant token overhead. The security content itself is high-quality with executable patterns and explicit validation steps.
Suggestions
Remove duplicate content: 'Core Principles' section appears in both Section 2 and implicitly in Section 6, and expertise is listed twice (Overview and after Core Principles)
Consider moving the Anti-Hallucination Protocol to a separate reference file or condensing it significantly - the checklist format is good but the explanatory text is verbose
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill contains some unnecessary verbosity, including repeated sections (Core Principles appears twice, expertise listed twice), and the anti-hallucination protocol, while valuable, adds significant length. Some explanations could be tightened, though the code examples are appropriately lean. | 2 / 3 |
Actionability | Excellent executable code examples throughout - password hashing with Argon2, JWT implementation, input validation, SQL injection prevention all have copy-paste ready Python/JavaScript code with specific library imports and configurations. | 3 / 3 |
Workflow Clarity | Clear TDD workflow with explicit steps (write failing test → implement → verify), validation checkpoints with specific commands (pytest, semgrep, gitleaks, pip-audit), and comprehensive pre-implementation checklists with phase-based organization. | 3 / 3 |
Progressive Disclosure | Well-structured with clear overview sections and explicit one-level-deep references to external files (references/implementation-patterns.md, references/security-examples.md, references/anti-patterns.md) for advanced content. Navigation is clearly signaled with '📚 For advanced patterns' markers. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
75%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 12 / 16 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (590 lines); consider splitting into references/ and linking | Warning |
metadata_version | 'metadata' field is not a dictionary | Warning |
license_field | 'license' field is missing | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 12 / 16 Passed | |
- Repository
- martinholovsky/claude-skills-generator
- Commit
1086ef2
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.