convex-security-check
Quick security audit checklist covering authentication, function exposure, argument validation, row-level access control, and environment variable handling
59
37%
Does it follow best practices?
Impact
100%
1.14xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/convex-security-check/SKILL.mdQuality
Discovery
32%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description identifies a clear domain (security auditing) and enumerates specific areas of coverage, which is helpful for differentiation. However, it lacks a 'Use when...' clause, uses topic-listing rather than concrete action verbs, and misses common keyword variations that users might naturally use when requesting security reviews.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks for a security review, security audit, vulnerability check, or wants to verify auth, permissions, or environment variable safety.'
Replace the passive 'checklist covering' with active verbs describing concrete actions, e.g., 'Audits authentication flows, checks for unprotected function exposure, validates argument sanitization, verifies row-level access control policies, and reviews environment variable handling.'
Include common keyword variations like 'security review', 'vulnerability scan', 'auth check', 'RLS', 'env vars', 'permissions audit' to improve trigger term coverage.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names a specific domain (security audit) and lists several areas covered (authentication, function exposure, argument validation, row-level access control, environment variable handling), but these are topics/categories rather than concrete actions. It says 'checklist covering' rather than listing specific actions like 'validates authentication flows, checks for exposed functions, verifies argument sanitization'. | 2 / 3 |
Completeness | The description answers 'what does this do' (quick security audit checklist covering specific areas) but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. Per the rubric, a missing 'Use when...' clause caps completeness at 2, and since the 'what' is also somewhat weak (listing topics rather than actions), this falls to 1. | 1 / 3 |
Trigger Term Quality | Includes some relevant keywords like 'security audit', 'authentication', 'row-level access control', and 'environment variable handling' that users might mention. However, it misses common variations like 'security review', 'vulnerability check', 'auth', 'RLS', 'env vars', 'permissions', or 'access control'. | 2 / 3 |
Distinctiveness Conflict Risk | The security audit focus with specific sub-domains (authentication, function exposure, argument validation, row-level access control, environment variables) provides some distinctiveness, but 'security audit' is broad enough that it could overlap with other security-related skills. The specific mention of row-level access control and function exposure helps narrow it somewhat. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides highly actionable, executable code examples for Convex security patterns, which is its primary strength. However, it is severely bloated with redundant code examples — the individual section examples and the 'Complete Security Pattern' overlap significantly. The content would benefit greatly from consolidation and splitting detailed examples into separate reference files, keeping SKILL.md as a lean checklist with one concise example per category.
Suggestions
Consolidate redundant code examples: remove the individual section examples (Authentication Check, Function Exposure Check, etc.) and keep only the Complete Security Pattern, or vice versa — don't show both.
Move the Complete Security Pattern into a separate file (e.g., EXAMPLES.md) and reference it from the main skill with a one-line link.
Add an explicit audit workflow sequence: e.g., '1. Run checklist → 2. Flag issues → 3. Apply fixes using patterns below → 4. Re-audit to verify' with clear validation steps.
Trim the environment variable example to just the key lines (process.env access + null check) rather than a full email-sending action.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose with massive code blocks that repeat similar patterns multiple times. The 'Complete Security Pattern' example largely duplicates the individual section examples. The checklist items are useful but the code examples are redundant — the authentication helper appears twice, ownership checks appear twice, and the environment variable example is a full email-sending function when a 3-line snippet would suffice. | 1 / 3 |
Actionability | All code examples are fully executable TypeScript with proper imports, type annotations, and realistic patterns. The examples are copy-paste ready and cover concrete scenarios like authentication helpers, argument validation, ownership checks, and environment variable access. | 3 / 3 |
Workflow Clarity | The checklist format provides a clear structure for auditing, but there's no explicit workflow sequence — it's unclear whether to run these checks in order, how to verify findings, or what to do when issues are found. For a security audit (a potentially destructive/risky operation), there are no validation checkpoints or feedback loops for remediation. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of content at ~250 lines with no references to separate files for detailed examples. The 'Complete Security Pattern' section alone is ~70 lines and could easily be a separate reference file. The documentation links at top and bottom are external URLs, not structured sub-documents for progressive discovery. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- waynesutton/convexskills
- Commit
8ef49c9
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.