convex-security-audit
Deep security review patterns for authorization logic, data access boundaries, action isolation, rate limiting, and protecting sensitive operations
62
53%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/convex-security-audit/SKILL.mdQuality
Discovery
42%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description effectively lists specific security review domains, demonstrating good specificity in capabilities. However, it critically lacks explicit trigger guidance ('Use when...') which would help Claude know when to select this skill. The technical terminology may not match how users naturally request security reviews.
Suggestions
Add a 'Use when...' clause with trigger terms like 'security review', 'audit permissions', 'check authorization', 'review access control', or 'security assessment'
Include common user-facing synonyms such as 'permissions', 'access control', 'security audit', 'vulnerability check' to improve trigger term coverage
Specify the context more clearly - e.g., 'for agentic systems' or 'for API endpoints' to reduce potential conflicts with general security skills
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete security review areas: 'authorization logic, data access boundaries, action isolation, rate limiting, and protecting sensitive operations' - these are distinct, actionable review patterns. | 3 / 3 |
Completeness | Describes what it does (security review patterns for specific areas) but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. | 1 / 3 |
Trigger Term Quality | Contains relevant security terms like 'authorization', 'rate limiting', 'data access' but uses somewhat technical jargon. Missing common user phrases like 'security audit', 'permissions check', 'access control review', or 'vulnerability assessment'. | 2 / 3 |
Distinctiveness Conflict Risk | The specific security domains (authorization, rate limiting, action isolation) provide some distinctiveness, but 'security review' is broad enough to potentially overlap with general code review or other security-related skills. | 2 / 3 |
Total | 8 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid security audit skill with excellent, production-ready code examples covering authorization, data boundaries, action isolation, rate limiting, and sensitive operations. The main weaknesses are the lack of an explicit audit workflow with validation checkpoints, and the monolithic structure that could benefit from splitting detailed implementations into separate files for better progressive disclosure.
Suggestions
Add an explicit audit workflow section with numbered steps and validation checkpoints (e.g., '1. Run auth check → 2. Verify findings → 3. Document issues → 4. Re-test after fixes')
Split the detailed code implementations into separate reference files (e.g., AUTH_PATTERNS.md, RATE_LIMITING.md) and keep SKILL.md as a concise overview with links
Remove or condense the 'Best Practices' and 'Common Pitfalls' sections as they contain general security knowledge Claude already possesses
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is fairly comprehensive but includes some redundancy and could be tightened. The code examples are substantial and necessary, but some explanatory text (like the 'Best Practices' and 'Common Pitfalls' sections) contains information Claude would already know about security principles. | 2 / 3 |
Actionability | Excellent actionability with fully executable TypeScript code examples throughout. Each security pattern includes complete, copy-paste ready implementations with proper imports, type definitions, and error handling. | 3 / 3 |
Workflow Clarity | The five audit areas are clearly listed, but the document lacks explicit validation checkpoints and feedback loops for the audit process itself. It shows what secure code looks like but doesn't provide a clear step-by-step audit workflow with verification steps. | 2 / 3 |
Progressive Disclosure | The document is well-organized with clear sections, but it's quite long (~400 lines) and could benefit from splitting detailed implementations into separate reference files. The references section points to external docs but doesn't leverage internal file organization for the extensive code examples. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
68%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 16 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (540 lines); consider splitting into references/ and linking | Warning |
description_trigger_hint | Description may be missing an explicit 'when to use' trigger hint (e.g., 'Use when...') | Warning |
metadata_version | 'metadata' field is not a dictionary | Warning |
license_field | 'license' field is missing | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 11 / 16 Passed | |
- Repository
- waynesutton/convexskills
- Commit
8ef49c9
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.