cc-skill-security-review
This skill ensures all code follows security best practices and identifies potential vulnerabilities. Use when implementing authentication or authorization, handling user input or file uploads, or creating new API endpoints.
62
54%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/cc-skill-security-review/SKILL.mdQuality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description has a solid structure with an explicit 'Use when' clause that clearly delineates trigger scenarios, which is its strongest aspect. However, the 'what' portion is somewhat vague—'follows security best practices' and 'identifies potential vulnerabilities' lack the concrete specificity of listing actual security actions or checks performed. Adding more natural trigger terms and specific security capabilities would strengthen it.
Suggestions
Add specific concrete actions such as 'validates input sanitization, checks for SQL injection and XSS vulnerabilities, reviews authentication token handling, enforces secure headers'.
Expand trigger terms to include common user phrases like 'security review', 'vulnerability check', 'OWASP', 'XSS', 'SQL injection', 'password hashing', 'encryption'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (security best practices, vulnerabilities) and mentions some actions ('follows security best practices', 'identifies potential vulnerabilities'), but does not list multiple specific concrete actions like 'sanitize inputs, validate tokens, enforce CORS policies, scan for SQL injection'. | 2 / 3 |
Completeness | Clearly answers both 'what' (ensures code follows security best practices, identifies potential vulnerabilities) and 'when' with an explicit 'Use when' clause listing three specific trigger scenarios (authentication/authorization, user input/file uploads, new API endpoints). | 3 / 3 |
Trigger Term Quality | Includes some relevant keywords like 'authentication', 'authorization', 'user input', 'file uploads', 'API endpoints', but misses common natural variations users might say such as 'security review', 'vulnerability scan', 'XSS', 'SQL injection', 'OWASP', 'sanitize', 'encryption', or 'password hashing'. | 2 / 3 |
Distinctiveness Conflict Risk | The security focus provides some distinctiveness, but 'ensures all code follows security best practices' is broad enough to potentially overlap with general code review skills or linting skills. The trigger scenarios like 'API endpoints' could also conflict with API development skills. | 2 / 3 |
Total | 9 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is comprehensive and highly actionable with excellent executable code examples and clear do/don't patterns. However, it is far too verbose for a SKILL.md file—it reads more like a complete security handbook than a concise skill reference. The lack of progressive disclosure (everything inline in one massive file) and the inclusion of security concepts Claude already understands well significantly reduce its effectiveness as a context-window-efficient skill.
Suggestions
Split the 10 security categories into separate reference files (e.g., INPUT_VALIDATION.md, AUTH_SECURITY.md) and keep SKILL.md as a concise overview with the pre-deployment checklist and links to detailed guides.
Remove explanations of well-known concepts (SQL injection, XSS, CSRF basics) and focus only on project-specific patterns, preferred libraries, and non-obvious configurations.
Add a workflow sequence showing when during development each security check should be applied (e.g., 'Before PR: run checklist items 1-5; Before deploy: run full checklist') with explicit feedback loops for remediation.
Remove the duplicated 'When to Use' and 'Limitations' boilerplate sections at the bottom that repeat the top of the file.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~400+ lines, covering 10 security categories with extensive code examples for concepts Claude already knows well (SQL injection, XSS, CSRF, input validation). Much of this is standard security knowledge that doesn't need to be spelled out in such detail. The boilerplate 'When to Use' and 'Limitations' sections at the bottom are duplicative of the top. | 1 / 3 |
Actionability | Every section provides concrete, executable TypeScript/SQL/bash code examples with clear do/don't patterns. The code is copy-paste ready with specific libraries (zod, DOMPurify, express-rate-limit) and includes error handling. | 3 / 3 |
Workflow Clarity | Each section has verification checklists which is good, and there's a pre-deployment checklist. However, there's no clear sequencing of when to apply which checks during development, no feedback loops for when security issues are found, and the checklist items are presented as flat lists without prioritization or error recovery guidance. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of content with all 10 security categories fully expanded inline. The content would benefit enormously from being split into separate files (e.g., AUTH_SECURITY.md, INPUT_VALIDATION.md) with the main skill providing a concise overview and links. The external resources at the bottom are just links with no context about when to consult them. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (505 lines); consider splitting into references/ and linking | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Repository
- sickn33/antigravity-awesome-skills
- Commit
93c57b2
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.