security-general

Security checklist: OWASP top 10, secret scanning, input validation, and auth patterns

1.02x

Quality

48%

Does it follow best practices?

Impact

99%

1.02x

Average score across 3 eval scenarios

Securityby

Passed

No known issues

Fix and improve this skill with Tessl

tessl review fix ./skills/security-general/SKILL.md

Quality

Content

64%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

A well-structured, concise security checklist that efficiently covers major security domains without over-explaining concepts Claude already knows. Its main weakness is the lack of executable code examples for key patterns (parameterized queries, JWT validation, CSP headers) and the absence of a workflow for when/how to apply these checks in a development lifecycle. The checklist format is appropriate but could be enhanced with concrete code snippets and references to deeper materials.

Suggestions

Add 2-3 short executable code examples for the most critical items (e.g., parameterized SQL query, JWT validation snippet, CSP header configuration) to improve actionability.

Add a brief workflow section describing when to apply these checks (e.g., 'During code review: check items X, Y; In CI pipeline: run secret scanning and dependency audit; Before deployment: verify headers').

Consider linking to or referencing deeper guides for complex topics like auth patterns or secrets management to improve progressive disclosure.

Dimension	Reasoning	Score
Conciseness	Every bullet point is actionable and specific. No unnecessary explanations of what SQL injection or XSS are — it assumes Claude knows these concepts and just provides the concrete guidance. No filler text.	3 / 3
Actionability	Provides specific tool names (truffleHog, gitleaks, trivy) and concrete rules (parameterized queries, reject ../ sequences, 15-min access tokens), but lacks executable code examples. For a checklist-style skill this is partially justified, but concrete code snippets for key items like parameterized queries or JWT validation would elevate it.	2 / 3
Workflow Clarity	This is a checklist rather than a multi-step workflow, so sequencing is less critical. However, there's no prioritization, no indication of when to apply which checks (e.g., during code review vs. CI vs. deployment), and no validation/verification steps for confirming security posture.	2 / 3
Progressive Disclosure	Well-organized with clear section headers covering distinct security domains. However, for a topic this broad (OWASP top 10, secrets, auth, etc.), some sections could benefit from references to deeper guides. Everything is inline with no external references, which is acceptable for the current length but limits depth.	2 / 3
	Total	9 / 12 Passed

Description

32%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description identifies a clear security domain and lists relevant topic areas, but it reads more like a label than a functional description. It lacks action verbs describing what the skill does, omits any 'Use when...' guidance, and misses common user-facing trigger terms that would help Claude select it appropriately.

Suggestions

Add action verbs describing concrete capabilities, e.g., 'Audits code against OWASP top 10 vulnerabilities, scans for hardcoded secrets, validates input sanitization, and reviews authentication/authorization patterns.'

Add an explicit 'Use when...' clause, e.g., 'Use when the user asks for a security review, vulnerability check, security audit, or mentions OWASP, secrets, input validation, or auth.'

Include additional natural trigger terms users might say, such as 'security review', 'vulnerability', 'SQL injection', 'XSS', 'authentication', 'security audit', or 'code security'.

Dimension	Reasoning	Score
Specificity	Names the security domain and lists several specific areas (OWASP top 10, secret scanning, input validation, auth patterns), but these are more like topic labels than concrete actions. No verbs describing what the skill actually does (e.g., 'scans for', 'validates', 'checks').	2 / 3
Completeness	Describes a rough 'what' (security checklist covering certain topics) but completely lacks a 'when' clause. There is no explicit trigger guidance for when Claude should select this skill. Per rubric guidelines, a missing 'Use when...' clause caps completeness at 2, and the 'what' is also weak (no verbs/actions), so this scores a 1.	1 / 3
Trigger Term Quality	Includes relevant keywords like 'OWASP', 'secret scanning', 'input validation', and 'auth patterns' that users might mention. However, it misses common variations like 'security review', 'vulnerability', 'XSS', 'SQL injection', 'authentication', 'authorization', or 'security audit'.	2 / 3
Distinctiveness Conflict Risk	The mention of 'security checklist' and specific areas like OWASP and secret scanning provides some distinctiveness, but 'security' is broad enough to potentially overlap with other security-related skills (e.g., a penetration testing skill or a code review skill).	2 / 3
	Total	7 / 12 Passed

Validation

100%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 11 / 11 Passed

Validation for skill structure

No warnings or errors.

Repository: ucdavis/ai-skills-registry
Commit: c0b2e4b

Reviewed: 23 days ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.