security-best-practices
Implement security best practices for web applications and infrastructure. Use when securing APIs, preventing common vulnerabilities, or implementing security policies. Handles HTTPS, CORS, XSS, SQL Injection, CSRF, rate limiting, and OWASP Top 10.
Install with Tessl CLI
npx tessl i github:supercent-io/skills-template --skill security-best-practices85
Does it follow best practices?
If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:
npx tessl skill review --optimize ./path/to/skillValidation for skill structure
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted skill description that excels across all dimensions. It provides specific capabilities, includes a comprehensive list of natural trigger terms that developers would use, explicitly states both what the skill does and when to use it, and carves out a distinct security-focused niche that minimizes conflict with other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions and security concerns: 'securing APIs, preventing common vulnerabilities, implementing security policies' plus specific technologies like 'HTTPS, CORS, XSS, SQL Injection, CSRF, rate limiting, and OWASP Top 10'. | 3 / 3 |
Completeness | Clearly answers both what ('Implement security best practices for web applications and infrastructure') and when ('Use when securing APIs, preventing common vulnerabilities, or implementing security policies') with explicit trigger guidance. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'security', 'APIs', 'vulnerabilities', 'HTTPS', 'CORS', 'XSS', 'SQL Injection', 'CSRF', 'rate limiting', 'OWASP Top 10' - these are all terms developers naturally use when discussing security. | 3 / 3 |
Distinctiveness Conflict Risk | Clear security-focused niche with distinct triggers around web security, vulnerabilities, and specific security protocols. Unlikely to conflict with general coding or infrastructure skills due to explicit security terminology. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides solid, actionable security guidance with executable code examples covering major web security concerns (HTTPS, XSS, SQL Injection, CSRF, rate limiting). However, it lacks validation/verification steps to confirm security measures are working, includes unnecessary metadata bloat, and has empty example sections that should either be filled or removed.
Suggestions
Add validation checkpoints for each security step (e.g., 'Test rate limiting: `curl -X POST http://localhost:3000/api/auth/login` 6 times and verify 429 response')
Remove the empty Examples section placeholders and the Metadata section with version/platform info that adds no actionable value
Add a 'Verification' section with commands to test each security measure (e.g., using OWASP ZAP, curl commands, or browser dev tools)
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is mostly efficient with good code examples, but includes some unnecessary elements like the metadata section with version info, platform compatibility, and empty example placeholders that add no value. The Korean comments are helpful but some explanations could be tighter. | 2 / 3 |
Actionability | Provides fully executable TypeScript code examples for each security concern (Helmet, rate limiting, Joi validation, CSRF, JWT). Code is copy-paste ready with proper imports and realistic configurations. | 3 / 3 |
Workflow Clarity | Steps are clearly numbered (Step 1-5) covering different security aspects, but lacks validation checkpoints. No guidance on how to verify security implementations are working correctly, or how to test for vulnerabilities after applying fixes. | 2 / 3 |
Progressive Disclosure | Content is reasonably organized with clear sections, but the document is quite long (~200 lines of code/content) and could benefit from splitting detailed implementations into separate files. References to external resources are present but related skills links point to non-existent paths. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.