taint-instrumentation-assistant
Sets up taint tracking by defining sources, sinks, and sanitizers from Project CodeGuard's input-validation taxonomy, then configures the target tool (CodeQL, Semgrep, custom instrumentation). Use when wiring taint analysis into CI, when the user asks for taint tracking, or when you need a source/sink catalog for a specific language.
Install with Tessl CLI
npx tessl i github:santosomar/general-secure-coding-agent-skills --skill taint-instrumentation-assistant94
Quality
92%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly articulates specific capabilities around taint tracking configuration, includes relevant technical trigger terms users would naturally use, and provides explicit guidance on when to apply the skill. The description is well-structured with concrete tool names and a clear 'Use when' clause covering multiple scenarios.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'defining sources, sinks, and sanitizers', 'configures the target tool', and names specific tools (CodeQL, Semgrep, custom instrumentation). Uses third person voice correctly. | 3 / 3 |
Completeness | Clearly answers both what (sets up taint tracking with sources/sinks/sanitizers, configures tools) AND when with explicit 'Use when' clause covering three distinct trigger scenarios: CI integration, user requests, and source/sink catalog needs. | 3 / 3 |
Trigger Term Quality | Includes natural keywords users would say: 'taint tracking', 'taint analysis', 'source/sink', 'CI', 'CodeQL', 'Semgrep', and 'input-validation'. Good coverage of both technical terms and common variations. | 3 / 3 |
Distinctiveness Conflict Risk | Highly specific niche around taint tracking and static analysis tooling. References specific taxonomy (Project CodeGuard) and specific tools (CodeQL, Semgrep), making it unlikely to conflict with general security or code analysis skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
85%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is well-structured and concise, effectively delegating detailed taxonomy to external CodeGuard resources while providing a clear workflow. Its main weakness is the lack of concrete, executable examples—the skill describes what to produce (CodeQL predicates, Semgrep patterns) but doesn't show actual code snippets that could be adapted.
Suggestions
Add a concrete example showing a CodeQL source/sink predicate or Semgrep pattern-sources/pattern-sinks YAML snippet
Include a minimal executable example of step 4's verification process (e.g., a test case with known-tainted input)
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is lean and efficient, assuming Claude understands taint tracking concepts without explanation. Every section serves a purpose with no padding or unnecessary context. | 3 / 3 |
Actionability | Provides clear workflow steps and references to external sources, but lacks concrete executable examples. No actual CodeQL predicates, Semgrep patterns, or code snippets are provided—only descriptions of what to produce. | 2 / 3 |
Workflow Clarity | Clear 4-step sequence with an explicit validation checkpoint (step 4: inject known-tainted flow and confirm). The workflow is well-ordered with a verification step before trusting the configuration. | 3 / 3 |
Progressive Disclosure | Appropriately delegates detailed taxonomy to external CodeGuard resources with clear one-level-deep references. The dispatch table clearly signals where to find specific information without burying content in nested files. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.