security-general
Security checklist: OWASP top 10, secret scanning, input validation, and auth patterns
67
48%
Does it follow best practices?
Impact
99%
1.02xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/security-general/SKILL.mdQuality
Discovery
32%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description identifies a clear security domain and lists relevant topic areas, but it reads more like a label than a functional description. It lacks action verbs describing what the skill does, omits any 'Use when...' guidance, and misses common user-facing trigger terms that would help Claude select it appropriately.
Suggestions
Add action verbs describing concrete capabilities, e.g., 'Audits code against OWASP top 10 vulnerabilities, scans for hardcoded secrets, validates input sanitization, and reviews authentication/authorization patterns.'
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks for a security review, vulnerability check, security audit, or mentions OWASP, secrets, input validation, or auth.'
Include additional natural trigger terms users might say, such as 'security review', 'vulnerability', 'SQL injection', 'XSS', 'authentication', 'security audit', or 'code security'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the security domain and lists several specific areas (OWASP top 10, secret scanning, input validation, auth patterns), but these are more like topic labels than concrete actions. No verbs describing what the skill actually does (e.g., 'scans for', 'validates', 'checks'). | 2 / 3 |
Completeness | Describes a rough 'what' (security checklist covering certain topics) but completely lacks a 'when' clause. There is no explicit trigger guidance for when Claude should select this skill. Per rubric guidelines, a missing 'Use when...' clause caps completeness at 2, and the 'what' is also weak (no verbs/actions), so this scores a 1. | 1 / 3 |
Trigger Term Quality | Includes relevant keywords like 'OWASP', 'secret scanning', 'input validation', and 'auth patterns' that users might mention. However, it misses common variations like 'security review', 'vulnerability', 'XSS', 'SQL injection', 'authentication', 'authorization', or 'security audit'. | 2 / 3 |
Distinctiveness Conflict Risk | The mention of 'security checklist' and specific areas like OWASP and secret scanning provides some distinctiveness, but 'security' is broad enough to potentially overlap with other security-related skills (e.g., a penetration testing skill or a code review skill). | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
A well-structured, concise security checklist that efficiently covers major security domains without over-explaining concepts Claude already knows. Its main weakness is the lack of executable code examples for key patterns (parameterized queries, JWT validation, CSP headers) and the absence of a workflow for when/how to apply these checks in a development lifecycle. The checklist format is appropriate but could be enhanced with concrete code snippets and references to deeper materials.
Suggestions
Add 2-3 short executable code examples for the most critical items (e.g., parameterized SQL query, JWT validation snippet, CSP header configuration) to improve actionability.
Add a brief workflow section describing when to apply these checks (e.g., 'During code review: check items X, Y; In CI pipeline: run secret scanning and dependency audit; Before deployment: verify headers').
Consider linking to or referencing deeper guides for complex topics like auth patterns or secrets management to improve progressive disclosure.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Every bullet point is actionable and specific. No unnecessary explanations of what SQL injection or XSS are — it assumes Claude knows these concepts and just provides the concrete guidance. No filler text. | 3 / 3 |
Actionability | Provides specific tool names (truffleHog, gitleaks, trivy) and concrete rules (parameterized queries, reject ../ sequences, 15-min access tokens), but lacks executable code examples. For a checklist-style skill this is partially justified, but concrete code snippets for key items like parameterized queries or JWT validation would elevate it. | 2 / 3 |
Workflow Clarity | This is a checklist rather than a multi-step workflow, so sequencing is less critical. However, there's no prioritization, no indication of when to apply which checks (e.g., during code review vs. CI vs. deployment), and no validation/verification steps for confirming security posture. | 2 / 3 |
Progressive Disclosure | Well-organized with clear section headers covering distinct security domains. However, for a topic this broad (OWASP top 10, secrets, auth, etc.), some sections could benefit from references to deeper guides. Everything is inline with no external references, which is acceptable for the current length but limits depth. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- ucdavis/ai-skills-registry
- Commit
c0b2e4b
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.