static-vulnerability-detector
Scans source code for security vulnerabilities by applying Project CodeGuard rules — injection, unsafe deserialization, XSS, path traversal, broken access control. Use when performing a security audit, when reviewing a PR that touches request handlers or database queries, when the user asks for a vulnerability scan, or when wiring security checks into CI.
Install with Tessl CLI
npx tessl i github:santosomar/general-secure-coding-agent-skills --skill static-vulnerability-detector89
Quality
86%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that hits all the marks. It provides specific vulnerability types being scanned, uses third person voice correctly, includes a comprehensive 'Use when...' clause with multiple realistic trigger scenarios, and establishes a clear niche that distinguishes it from general code review or testing skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions and vulnerability types: 'injection, unsafe deserialization, XSS, path traversal, broken access control' - these are precise, actionable security concerns rather than vague language. | 3 / 3 |
Completeness | Clearly answers both what ('Scans source code for security vulnerabilities by applying Project CodeGuard rules') and when with explicit 'Use when...' clause covering four distinct trigger scenarios. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'security audit', 'vulnerability scan', 'PR', 'request handlers', 'database queries', 'security checks', 'CI' - these match how developers naturally discuss security work. | 3 / 3 |
Distinctiveness Conflict Risk | Clear niche focused on security vulnerability scanning with specific methodology (Project CodeGuard rules) and distinct triggers like 'security audit', 'vulnerability scan' that wouldn't overlap with general code review or testing skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
72%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill effectively delegates to an external framework (CodeGuard) rather than duplicating vulnerability taxonomies, which is a smart architectural choice. However, it lacks concrete examples of invocation and output format, and the workflow could benefit from explicit validation steps for a security-critical operation.
Suggestions
Add a concrete example showing how to invoke a CodeGuard rule and what the output finding format looks like (CWE, severity, source→sink trace)
Include validation checkpoints in the workflow, such as verifying rules loaded correctly and confirming scan coverage before finalizing the report
Provide a minimal executable example or command showing how to run a scan against sample code
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Lean and efficient - delegates to external framework rather than duplicating content, provides only the dispatch table and workflow needed to use it. No unnecessary explanations of what vulnerabilities are. | 3 / 3 |
Actionability | Provides a clear dispatch table mapping finding classes to rules, but lacks concrete examples of how to actually invoke these rules, what the output format looks like, or executable commands/code to run the scan. | 2 / 3 |
Workflow Clarity | Four-step workflow is listed but lacks validation checkpoints - no guidance on what to do if rules fail to load, no verification that findings are complete, and no feedback loop for handling edge cases or errors. | 2 / 3 |
Progressive Disclosure | Appropriately structured with clear reference to upstream documentation for full details. Single-level reference to external CodeGuard SKILL.md is well-signaled and the overview contains just enough to understand the dispatch mechanism. | 3 / 3 |
Total | 10 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.