security-review
Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns.
Install with Tessl CLI
npx tessl i github:sc30gsw/claude-code-customes --skill security-review81
Does it follow best practices?
If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:
npx tessl skill review --optimize ./path/to/skillEvaluation — 81%
↓ 0.90xAgent success when using this skill
Validation for skill structure
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description has strong completeness with an explicit 'Use this skill when...' clause and good trigger term coverage for security-related tasks. However, it lacks specificity about concrete actions (what exactly does the checklist cover? what patterns are provided?) and could potentially conflict with general API or authentication skills.
Suggestions
Add specific concrete actions like 'validates input sanitization, reviews authentication flows, checks for SQL injection vulnerabilities, audits secret management'
Differentiate from general API/auth skills by emphasizing the security audit/review aspect more explicitly
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (security) and lists several areas (authentication, user input, secrets, API endpoints, payment features), but lacks concrete actions - 'Provides comprehensive security checklist and patterns' is vague about what specific actions are performed. | 2 / 3 |
Completeness | Explicitly answers both what ('Provides comprehensive security checklist and patterns') and when ('Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features'). | 3 / 3 |
Trigger Term Quality | Good coverage of natural terms users would say: 'authentication', 'user input', 'secrets', 'API endpoints', 'payment', 'sensitive features' are all terms developers naturally use when discussing security concerns. | 3 / 3 |
Distinctiveness Conflict Risk | While security-focused, terms like 'API endpoints' and 'user input' could overlap with general web development or API skills. The security niche is clear but boundaries with adjacent skills could be sharper. | 2 / 3 |
Total | 10 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong, actionable security skill with excellent executable code examples and comprehensive verification checklists. The main weakness is its length - it tries to cover everything inline rather than using progressive disclosure to split detailed implementations into separate files. The content is well-structured but could be more token-efficient by assuming Claude's baseline security knowledge.
Suggestions
Split detailed code examples into separate files (e.g., AUTH_PATTERNS.md, INPUT_VALIDATION.md) and keep SKILL.md as a concise overview with links
Remove explanatory text that describes what vulnerabilities are (e.g., 'SQL Injection Prevention' section could skip explaining what SQL injection is) and focus purely on the patterns
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is comprehensive but includes some redundant explanations Claude would know (e.g., explaining what SQL injection is). The extensive checklists and examples are valuable but could be tightened in places. | 2 / 3 |
Actionability | Excellent executable code examples throughout - TypeScript validation schemas, SQL policies, rate limiting implementations, and security tests are all copy-paste ready with real library imports and complete implementations. | 3 / 3 |
Workflow Clarity | Clear verification checklists after each section provide explicit validation steps. The pre-deployment checklist serves as a comprehensive feedback loop, and each security domain has its own verification steps to catch issues. | 3 / 3 |
Progressive Disclosure | Content is well-organized with clear sections, but the skill is monolithic at ~400 lines. The detailed code examples for each security domain could be split into separate reference files (e.g., AUTH.md, INPUT_VALIDATION.md) with SKILL.md serving as an overview. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.