CtrlK
BlogDocsLog inGet started
Tessl Logo

cc-skill-security-review

This skill ensures all code follows security best practices and identifies potential vulnerabilities. Use when implementing authentication or authorization, handling user input or file uploads, or creating new API endpoints.

58

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

57%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body is a thorough, well-sectioned security reference with concrete code and per-section checklists, but it is overlong and redundant, mixes inconsistent framework examples, and is monolithic with no progressive disclosure into bundle files.

Suggestions

Dedupe the duplicated "When to Use" block and remove the generic filler line; collapse the master checklist to reference the per-section checks instead of repeating them.

Move the per-topic code deep-dives into reference files (e.g., references/secrets.md, references/auth.md) and keep SKILL.md as a concise overview with one-level-deep links.

Fix the inconsistent/non-existent imports (express-rate-limit vs Next.js context, @/lib/csrf, @solana/web3.js verify) so examples are genuinely copy-paste ready.

DimensionReasoningScore

Conciseness

The ~500-line body is mostly useful but padded: the "When to Use" list is duplicated (top and near the end), a generic filler line ("This skill is applicable to execute the workflow or actions described in the overview") is present, and the master "Pre-Deployment Security Checklist" repeats the per-section "Verification Steps" checklists.

2 / 3

Actionability

It provides abundant concrete, executable code (zod schemas, parameterized queries, RLS SQL, DOMPurify, rate limiting, npm audit), but a few examples are not copy-paste ready due to hypothetical or inconsistent imports ("@/lib/csrf", express-rate-limit mixed with Next.js NextResponse, "verify" from @solana/web3.js).

2.5 / 3

Workflow Clarity

Content is organized into 10 numbered sections each with a "Verification Steps" checklist plus a master pre-deployment checklist, but there is no true sequenced workflow with feedback loops (validate → fix → retry) for the destructive or batch operations it covers.

2 / 3

Progressive Disclosure

It is a single monolithic ~500-line file with no bundle files (references/, scripts/, assets/ are absent) and only external URLs; all ten topic deep-dives are inline when much of this reference material should be split into separate files.

2 / 3

Total

8.5

/

12

Passed

Description

78%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description cleanly covers both what the skill does and when to use it with explicit triggers, and includes several natural keywords. It is held back by buzzwordy capability language and triggers broad enough to overlap with general development skills.

Suggestions

Replace "ensures all code follows security best practices" with specific concrete actions (e.g., "audits code for hardcoded secrets, injection flaws, and missing auth checks").

Add common security trigger variations users actually say (login, passwords, secrets, SQL injection, XSS, CSRF) to improve trigger coverage and distinctiveness.

DimensionReasoningScore

Specificity

It names the security domain and one concrete action ("identifies potential vulnerabilities") but leans on the buzzwordy "ensures all code follows security best practices" rather than listing multiple specific actions, so it sits at the domain-and-some-actions level rather than a comprehensive action list.

2 / 3

Completeness

It explicitly answers what ("ensures all code follows security best practices and identifies potential vulnerabilities") and when via an explicit "Use when..." clause with concrete triggers, satisfying both halves.

3 / 3

Trigger Term Quality

It surfaces several natural terms a user would say ("authentication or authorization", "user input", "file uploads", "new API endpoints", "vulnerabilities"), but misses common security variations (login, passwords, secrets, injection, XSS), so coverage is good but not comprehensive.

2.5 / 3

Distinctiveness Conflict Risk

The security-review niche is clear, but triggers like "creating new API endpoints" and "handling user input" overlap heavily with general coding skills, so it could still fire for the wrong skill.

2.5 / 3

Total

10

/

12

Passed

Validation

87%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation14 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

skill_md_line_count

SKILL.md is long (505 lines); consider splitting into references/ and linking

Warning

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

14

/

16

Passed

Repository
sickn33/antigravity-awesome-skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.