CtrlK
BlogDocsLog inGet started
Tessl Logo

codeql

Scans a codebase for security vulnerabilities using CodeQL's interprocedural data flow and taint tracking analysis. Triggers on "run codeql", "codeql scan", "codeql analysis", "build codeql database", or "find vulnerabilities with codeql". Supports "run all" (security-and-quality + security-experimental suites) and "important only" (high-precision security findings) scan modes. Also handles creating data extension models and processing CodeQL SARIF output.

74

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

85%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body is actionable and well-structured with clear workflow sequencing, validation checkpoints, and genuine one-level-deep reference files. Its only weakness is mild repetition in the output-directory resolution logic that slightly inflates token use.

Suggestions

Consolidate the output-directory resolution logic — it appears in both the Output Directory and Quick Start sections — into a single canonical block to reduce repetition.

The Auto-Detection Logic shell snippet duplicates the database-discovery find command already shown above; reference it or trim to one canonical example.

DimensionReasoningScore

Conciseness

The body is well-targeted (no 'what is CodeQL' explainer) and assumes competence, but the Quick Start and Output Directory sections re-state the directory-resolution logic already detailed elsewhere, adding repetition a leaner pass would remove.

2 / 3

Actionability

Provides fully executable shell snippets (find for database discovery, codeql resolve database, jq extraction, mkdir pipeline) that are copy-paste ready and parameterized with real flags.

3 / 3

Workflow Clarity

Workflows are explicitly sequenced (build → extensions → analysis), each phase gates the next, and the Success Criteria checklist plus 'Rationalizations to Reject' supply validation checkpoints and error-recovery guidance for zero-finding cases.

3 / 3

Progressive Disclosure

SKILL.md is an overview with a Reference Index table linking to real one-level-deep workflows/ and references/ files (verified to exist), keeping detail out of the main body while signaling navigation clearly.

3 / 3

Total

11

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is specific, third-person, and rich in natural trigger phrases covering both what the skill does and when to invoke it. It is clearly distinct from other analysis skills and uses no first/second person voice.

DimensionReasoningScore

Specificity

Lists multiple concrete actions: 'Scans a codebase for security vulnerabilities using CodeQL's interprocedural data flow and taint tracking analysis', 'creating data extension models', and 'processing CodeQL SARIF output'.

3 / 3

Completeness

Clearly answers 'what' (interprocedural data flow / taint tracking scans, data extension models, SARIF processing) and 'when' via explicit trigger phrases, plus scan modes ('run all', 'important only').

3 / 3

Trigger Term Quality

Explicit natural triggers are given: 'run codeql', 'codeql scan', 'codeql analysis', 'build codeql database', and 'find vulnerabilities with codeql' — exactly what a user would say.

3 / 3

Distinctiveness Conflict Risk

The CodeQL-specific triggers and taint-tracking framing carve a clear niche unlikely to fire for Semgrep or generic analysis skills.

3 / 3

Total

12

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

relative_links

Relative link issues: 6 missing

Warning

Total

15

/

16

Passed

Repository
trailofbits/skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.