backend-security-coder
Expert in secure backend coding practices specializing in input validation, authentication, and API security. Use PROACTIVELY for backend security implementations or security code reviews.
56
37%
Does it follow best practices?
Impact
86%
1.43xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/backend-security-coder/SKILL.mdQuality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description has a solid structure with both 'what' and 'when' clauses clearly stated, which is its strongest aspect. However, it operates at a category level rather than listing specific concrete actions, and the trigger terms could be expanded significantly to cover the natural language users would employ when seeking security help. The domain is somewhat distinct but broad enough to risk overlap with adjacent skills.
Suggestions
Add more specific concrete actions like 'sanitize SQL queries, implement JWT authentication, configure CORS policies, prevent XSS/CSRF attacks, hash passwords' to improve specificity.
Expand trigger terms to include natural user phrases like 'SQL injection', 'XSS', 'CSRF', 'OAuth', 'password hashing', 'vulnerability', 'sanitize input', '.env secrets' to improve keyword coverage.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (backend security) and some actions (input validation, authentication, API security, security code reviews), but these are more like categories than concrete actions. It doesn't list specific tasks like 'sanitize SQL queries, implement JWT token validation, configure CORS headers'. | 2 / 3 |
Completeness | Clearly answers both 'what' (secure backend coding practices specializing in input validation, authentication, and API security) and 'when' (Use PROACTIVELY for backend security implementations or security code reviews), with an explicit trigger clause. | 3 / 3 |
Trigger Term Quality | Includes some relevant keywords like 'input validation', 'authentication', 'API security', and 'security code reviews', but misses many natural user terms like 'SQL injection', 'XSS', 'CSRF', 'authorization', 'password hashing', 'OAuth', 'sanitization', or 'vulnerability'. | 2 / 3 |
Distinctiveness Conflict Risk | The focus on 'backend security' provides some distinctiveness, but terms like 'authentication' and 'API security' could overlap with general API development skills or authentication-specific skills. The scope is broad enough to potentially conflict with other security or backend skills. | 2 / 3 |
Total | 9 / 12 Passed |
Implementation
7%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads as a persona description or role card rather than an actionable skill. It exhaustively catalogs security concepts Claude already knows without providing any concrete code, specific implementation patterns, or executable guidance. The content is extremely verbose with no code examples, no validation steps, and no novel information that would help Claude perform security tasks better than it already can.
Suggestions
Replace the extensive capability/knowledge listings with 3-5 concrete, executable code examples showing secure implementations (e.g., parameterized queries, JWT validation, CSP header configuration) that demonstrate project-specific patterns or preferences.
Add validation checkpoints to the workflow, such as specific security testing commands, linting tools, or verification steps (e.g., 'Run `bandit -r src/` to check for common Python security issues').
Move the detailed capability taxonomy into the referenced 'resources/implementation-playbook.md' file and keep SKILL.md as a concise overview with quick-reference patterns.
Remove sections that describe Claude's existing knowledge (Behavioral Traits, Knowledge Base, Capabilities lists) and replace with project-specific security requirements, approved libraries, or organization-specific security standards that Claude wouldn't otherwise know.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose and padded with information Claude already knows. The bulk of the content is a taxonomy of security concepts (OWASP Top 10, JWT, CSRF, etc.) that Claude is already deeply familiar with. Lists like 'Behavioral Traits', 'Knowledge Base', and 'Capabilities' describe what Claude should know rather than providing novel, actionable instructions. The content could be reduced by 80%+ without losing useful guidance. | 1 / 3 |
Actionability | No concrete code examples, no executable commands, no specific implementation patterns. The entire skill is abstract descriptions and bullet-point lists of concepts. Statements like 'Implements defense-in-depth with multiple security layers' and 'Uses parameterized queries and prepared statements exclusively' describe behaviors without showing how. The 'Example Interactions' section lists prompts rather than providing actual code or implementation guidance. | 1 / 3 |
Workflow Clarity | The 'Response Approach' section lists 9 high-level steps but they are vague and lack validation checkpoints. For a security-focused skill involving potentially destructive or risky operations (authentication, database security), there are no verification steps, no feedback loops, and no concrete validation commands. Steps like 'Review and test security controls' are not actionable. | 1 / 3 |
Progressive Disclosure | There is one reference to an external file ('resources/implementation-playbook.md') which is good, but the main content is a monolithic wall of bullet points that should have been split into separate reference files. The massive capability listings would be better served as linked references rather than inline content consuming hundreds of lines. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- sickn33/antigravity-awesome-skills
- Commit
43280f9
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.