security-review
Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns.
76
62%
Does it follow best practices?
Impact
80%
0.88xAverage score across 8 eval scenarios
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./.claude/skills/security-review/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description has good trigger term coverage and explicitly addresses both 'what' and 'when', making it functional for skill selection. However, the actual capabilities are described vaguely ('comprehensive security checklist and patterns') rather than listing specific concrete actions, and the broad scope across authentication, input handling, APIs, and payments creates overlap risk with more specialized skills. The description also uses second person voice ('Use this skill') which is a minor style issue.
Suggestions
Replace 'Provides comprehensive security checklist and patterns' with specific actions like 'Validates input sanitization, configures CSRF protection, implements secret rotation, enforces HTTPS, reviews authentication flows'.
Narrow the scope or add distinguishing qualifiers to reduce overlap — e.g., clarify this is a security review/audit skill rather than an implementation skill for APIs or authentication.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (security) and lists several areas (authentication, secrets, API endpoints, payment features), but the actual actions are vague — 'Provides comprehensive security checklist and patterns' doesn't describe concrete actions like 'validates input against injection attacks' or 'encrypts secrets at rest'. | 2 / 3 |
Completeness | Explicitly answers both 'when' ('Use this skill when adding authentication, handling user input, working with secrets...') and 'what' ('Provides comprehensive security checklist and patterns'). The 'Use when' clause is present and detailed. | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms users would actually say: 'authentication', 'user input', 'secrets', 'API endpoints', 'payment', 'sensitive features'. These cover a good range of security-related queries. | 3 / 3 |
Distinctiveness Conflict Risk | While the security focus is somewhat distinct, terms like 'handling user input', 'creating API endpoints', and 'authentication' could easily overlap with general web development, API design, or authentication-specific skills. The scope is broad enough to risk false triggers. | 2 / 3 |
Total | 10 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is a comprehensive security reference with excellent, executable code examples across many domains, but it suffers significantly from verbosity and poor progressive disclosure. It reads as a security textbook rather than a skill file—most of these concepts (SQL injection, XSS, CSRF) are well within Claude's existing knowledge, so the skill should focus on project-specific conventions and a concise checklist rather than teaching fundamentals. The content would benefit greatly from being split into a brief overview with links to topic-specific files.
Suggestions
Reduce the main SKILL.md to a concise overview (~50-80 lines) with the pre-deployment checklist and brief project-specific conventions, moving detailed topic sections (XSS, CSRF, SQL injection, etc.) into separate referenced files like SECURITY_INPUT_VALIDATION.md, SECURITY_AUTH.md, etc.
Remove explanations of concepts Claude already knows (what SQL injection is, why XSS is dangerous) and focus only on project-specific patterns, preferred libraries, and conventions unique to this codebase.
Add a clear sequential workflow for performing a security review: e.g., 1) Identify what type of change this is, 2) Run through relevant checklist sections, 3) Verify with automated tests, 4) Document findings—with explicit validation checkpoints.
Remove or relocate the Solana/blockchain section to a separate optional file, as it's a niche concern that adds significant length for most use cases.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | At ~400+ lines, this skill is extremely verbose. It explains well-known security concepts (SQL injection, XSS, CSRF) that Claude already understands deeply. The ❌/✅ pattern pairs, while clear, are redundant for an AI that knows these patterns. Much of this could be reduced to a concise checklist with key code snippets only for project-specific conventions. | 1 / 3 |
Actionability | The skill provides fully executable TypeScript/SQL code examples throughout, with concrete libraries (zod, DOMPurify, express-rate-limit), specific configurations, and copy-paste ready patterns. Every section includes working code rather than abstract descriptions. | 3 / 3 |
Workflow Clarity | The checklist structure provides clear categories and verification steps, and the pre-deployment checklist is a good summary. However, there's no sequenced workflow for performing a security review—it's a reference document rather than a step-by-step process. There's no feedback loop for what to do when issues are found during review. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of content with 10 major sections all inline. The blockchain security section, security testing, and individual topic deep-dives (XSS, CSRF, etc.) should be split into separate reference files, with SKILL.md serving as a concise overview pointing to them. External links at the bottom don't compensate for the lack of internal file organization. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- sc30gsw/claude-code-customes
- Commit
7aff694
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.