security-best-practices
Implement security best practices for web applications and infrastructure. Use when securing APIs, preventing common vulnerabilities, or implementing security policies. Handles HTTPS, CORS, XSS, SQL Injection, CSRF, rate limiting, and OWASP Top 10.
88
82%
Does it follow best practices?
Impact
100%
1.49xAverage score across 3 eval scenarios
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that excels across all dimensions. It clearly defines the security domain, provides explicit 'Use when' guidance, and includes comprehensive trigger terms covering both high-level concepts (security policies, vulnerabilities) and specific technical terms (XSS, CSRF, OWASP Top 10). The description uses proper third-person voice and is concise yet comprehensive.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions and security concerns: 'securing APIs, preventing common vulnerabilities, implementing security policies' plus specific technical items like 'HTTPS, CORS, XSS, SQL Injection, CSRF, rate limiting, and OWASP Top 10'. | 3 / 3 |
Completeness | Clearly answers both what ('Implement security best practices for web applications and infrastructure') and when ('Use when securing APIs, preventing common vulnerabilities, or implementing security policies') with explicit trigger guidance. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'security', 'APIs', 'vulnerabilities', 'HTTPS', 'CORS', 'XSS', 'SQL Injection', 'CSRF', 'rate limiting', 'OWASP Top 10' - these are all terms developers naturally use when discussing security concerns. | 3 / 3 |
Distinctiveness Conflict Risk | Clear security-focused niche with distinct triggers like 'XSS', 'SQL Injection', 'CSRF', 'OWASP Top 10' that are unlikely to conflict with non-security skills. The domain is well-defined as web application and infrastructure security. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides comprehensive, actionable security guidance with executable code examples covering major web security concerns. Its main weaknesses are the lack of validation/verification steps for security implementations and some organizational bloat (empty placeholders, metadata sections). The content would benefit from explicit testing steps to verify security measures are working correctly.
Suggestions
Add verification steps after each security implementation (e.g., 'Test with: curl -I https://yoursite.com | grep -i strict-transport-security' to verify HSTS)
Remove empty placeholder sections (Example 1, Example 2) or populate them with concrete security testing scenarios
Move the detailed OWASP checklist and Kubernetes secrets examples to separate reference files, keeping SKILL.md as a concise overview
Remove the Metadata section (version, tags, related skills) as this adds tokens without actionable value for Claude
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is mostly efficient with executable code examples, but includes some unnecessary elements like empty example placeholders, metadata sections with version info, and the 'Related skills' section that add bulk without value. The code comments explaining what things do (e.g., '// Helmet: automatically set security headers') are borderline unnecessary for Claude. | 2 / 3 |
Actionability | Provides fully executable TypeScript code examples for each security concern - HTTPS enforcement, input validation, CSRF protection, secrets management, and JWT authentication. Code is copy-paste ready with real library imports and complete implementations. | 3 / 3 |
Workflow Clarity | Steps are clearly numbered (Step 1-5) with logical progression, but lacks explicit validation checkpoints. For security implementations that can fail silently or have subtle misconfigurations, there should be verification steps (e.g., 'Test CSRF protection by attempting request without token', 'Verify headers with curl -I'). | 2 / 3 |
Progressive Disclosure | Has good structure with clear sections and references to external resources (OWASP, helmet.js docs), but the skill itself is quite long (~200 lines of code). The OWASP checklist and some detailed implementations could be split into separate reference files. The empty example sections at the end suggest incomplete organization. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
metadata_version | 'metadata.version' is missing | Warning |
Total | 10 / 11 Passed | |
- Repository
- supercent-io/skills-template
- Commit
c033769
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.