cc-skill-security-review
This skill ensures all code follows security best practices and identifies potential vulnerabilities. Use when implementing authentication or authorization, handling user input or file uploads, or creating new API endpoints.
63
54%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/cc-skill-security-review/SKILL.mdQuality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description has a solid structure with explicit 'Use when' triggers that clearly communicate when to select this skill, which is its strongest aspect. However, it lacks specificity in the concrete security actions it performs (e.g., input sanitization, token validation, encryption) and could include more natural trigger terms that users would use when seeking security help. The scope of some triggers like 'handling user input' is broad enough to risk overlap with non-security skills.
Suggestions
Add specific concrete security actions such as 'sanitize inputs against XSS/SQL injection, validate authentication tokens, enforce CORS policies, review encryption usage, check for CSRF vulnerabilities'.
Expand trigger terms to include natural user phrases like 'security review', 'vulnerability check', 'XSS', 'SQL injection', 'CSRF', 'password hashing', 'encryption', 'secrets management'.
Narrow the broader triggers to be more security-specific, e.g., change 'handling user input' to 'validating and sanitizing user input for security' to reduce conflict risk with general coding skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (security best practices, vulnerabilities) and mentions some actions ('follows security best practices', 'identifies potential vulnerabilities'), but does not list multiple specific concrete actions like 'sanitize inputs, validate tokens, enforce CORS policies, scan for SQL injection'. | 2 / 3 |
Completeness | Clearly answers both 'what' (ensures code follows security best practices, identifies vulnerabilities) and 'when' with explicit triggers ('Use when implementing authentication or authorization, handling user input or file uploads, or creating new API endpoints'). | 3 / 3 |
Trigger Term Quality | Includes some relevant keywords like 'authentication', 'authorization', 'user input', 'file uploads', 'API endpoints', but misses common natural terms users might say such as 'security review', 'vulnerability scan', 'XSS', 'SQL injection', 'CSRF', 'sanitize', 'encryption', or 'password hashing'. | 2 / 3 |
Distinctiveness Conflict Risk | The security focus provides some distinctiveness, but 'handling user input' and 'creating new API endpoints' are broad enough to overlap with general coding, input validation, or API development skills. The triggers could conflict with non-security-focused skills that also deal with these areas. | 2 / 3 |
Total | 9 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides highly actionable, executable code examples across a comprehensive range of security topics, which is its primary strength. However, it is far too verbose for a SKILL.md file—most of this content covers well-known security patterns that Claude already understands, and the monolithic structure with no progressive disclosure makes it an inefficient use of context window. It would benefit greatly from being restructured as a concise overview with references to detailed sub-files.
Suggestions
Restructure as a concise SKILL.md overview (under 80 lines) with the security checklist summary, and move detailed code examples for each category into separate files (e.g., INPUT_VALIDATION.md, AUTH_SECURITY.md, XSS_PREVENTION.md).
Remove explanations of basic security concepts Claude already knows (SQL injection, XSS, CSRF fundamentals) and focus only on project-specific patterns, preferred libraries, and non-obvious conventions.
Add a clear sequential workflow for conducting a security review: e.g., 1) Identify the type of change, 2) Run relevant checklist items, 3) Verify with automated tests, 4) Document findings—with explicit feedback loops when issues are found.
Remove the duplicated 'When to Use' section at the bottom and the generic closing statement about security not being optional.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~400+ lines, covering 10 security categories with full code examples for concepts Claude already knows well (SQL injection, XSS, CSRF, input validation). Much of this is standard security knowledge that doesn't need to be spelled out in such detail. The blockchain section is niche and may not apply to most projects, adding unnecessary bulk. | 1 / 3 |
Actionability | Every section provides fully executable TypeScript/SQL/bash code examples with clear do/don't patterns. The code is copy-paste ready with specific libraries (zod, DOMPurify, express-rate-limit) and concrete implementations rather than pseudocode. | 3 / 3 |
Workflow Clarity | The skill provides checklists for verification at each step and a comprehensive pre-deployment checklist, but it reads more as a reference catalog than a workflow. There's no clear sequence for how to conduct a security review (e.g., start here, then check this, then validate that), and no feedback loops for when issues are found during review. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of content with no references to external files. The 10 security categories with full code examples should be split into separate reference files, with SKILL.md serving as an overview pointing to detailed guides per category. Everything is inline, making it overwhelming. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- sickn33/antigravity-awesome-skills
- Commit
6a07b83
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.