convex-security-check
Quick security audit checklist covering authentication, function exposure, argument validation, row-level access control, and environment variable handling
62
53%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/convex-security-check/SKILL.mdQuality
Discovery
42%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description effectively lists specific security audit categories, demonstrating good specificity in what it covers. However, it critically lacks any 'Use when...' guidance, making it difficult for Claude to know when to select this skill. The trigger terms are technical but miss common user phrasings for security concerns.
Suggestions
Add a 'Use when...' clause with explicit triggers like 'Use when reviewing code security, checking for vulnerabilities, auditing API endpoints, or when user mentions security review, auth issues, or access control'
Include common user-facing trigger terms like 'security review', 'vulnerability', 'secure my code', 'check permissions', or technology-specific terms like 'API security', 'database security'
Specify the context or technology stack this applies to (e.g., 'for backend services', 'for web applications') to reduce conflict risk with other potential security skills
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete security areas: authentication, function exposure, argument validation, row-level access control, and environment variable handling. These are concrete, actionable audit categories. | 3 / 3 |
Completeness | Describes what it does (security audit checklist covering specific areas) but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. | 1 / 3 |
Trigger Term Quality | Contains relevant technical terms like 'security audit', 'authentication', 'access control', but missing common user variations like 'security review', 'vulnerability check', 'secure', 'permissions', or file type triggers. | 2 / 3 |
Distinctiveness Conflict Risk | The specific security domains (authentication, row-level access control, etc.) provide some distinctiveness, but 'security audit' is broad enough to potentially conflict with other security-related skills. | 2 / 3 |
Total | 8 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid security audit skill with excellent actionable code examples and a useful checklist format. The main weaknesses are redundancy between the checklist and code sections, and lack of explicit workflow for conducting and validating the audit. The skill would benefit from consolidating duplicate patterns and adding guidance on audit sequencing and verification.
Suggestions
Add an explicit audit workflow sequence (e.g., '1. Run checklist → 2. Document findings → 3. Fix issues → 4. Re-verify') with validation checkpoints
Consolidate the 'Complete Security Pattern' section with earlier examples to reduce redundancy - consider moving detailed examples to a separate EXAMPLES.md
Add guidance on what to do when security issues are found - how to prioritize, verify fixes, and document the audit results
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably efficient but includes some redundancy - the checklist items are then repeated as full code examples, and some patterns (like authentication helpers) appear multiple times. The 'Complete Security Pattern' section largely duplicates earlier examples. | 2 / 3 |
Actionability | Excellent executable code examples throughout - all TypeScript snippets are complete, copy-paste ready, and demonstrate both good and bad patterns. The checklist format combined with concrete implementations makes this highly actionable. | 3 / 3 |
Workflow Clarity | The checklist provides clear categories but lacks explicit sequencing for the audit process itself. There's no validation checkpoint or feedback loop for verifying fixes - it's a static checklist without guidance on what to do when issues are found. | 2 / 3 |
Progressive Disclosure | Content is well-organized with clear sections, but everything is inline in one file. The extensive code examples could be split into separate reference files, with SKILL.md containing just the checklist and brief patterns. References to external docs are provided but internal structure could be improved. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
75%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 12 / 16 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
description_trigger_hint | Description may be missing an explicit 'when to use' trigger hint (e.g., 'Use when...') | Warning |
metadata_version | 'metadata' field is not a dictionary | Warning |
license_field | 'license' field is missing | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 12 / 16 Passed | |
- Repository
- waynesutton/convexskills
- Commit
8ef49c9
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.