CtrlK
BlogDocsLog inGet started
Tessl Logo

security-review

Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns.

Install with Tessl CLI

npx tessl i github:ysyecust/everything-claude-code --skill security-review
What are skills?

94

1.07x

Quality

79%

Does it follow best practices?

Impact

97%

1.07x

Average score across 9 eval scenarios

Optimize this skill with Tessl

npx tessl skill review --optimize ./docs/zh-TW/skills/security-review/SKILL.md
SKILL.md
Review
Evals

Evaluation results

97%

9%

User Registration API

Input validation and error handling

Criteria
Without context
With context

Zod import

100%

100%

Schema-based validation

100%

100%

Email validation

100%

100%

Name length bounds

100%

100%

Age numeric bounds

75%

100%

File size limit

100%

100%

File MIME type whitelist

75%

100%

File extension whitelist

0%

100%

Parameterized DB query

100%

100%

Generic error response

100%

70%

Zod error handling

100%

100%

Without context: $0.2250 · 1m 1s · 14 turns · 69 in / 3,568 out tokens

With context: $0.5083 · 1m 20s · 21 turns · 5,280 in / 4,447 out tokens

100%

10%

Team Management Dashboard Authentication

Authentication token storage and authorization

Criteria
Without context
With context

httpOnly cookie

100%

100%

Secure cookie flag

100%

100%

SameSite=Strict

0%

100%

No localStorage for token

100%

100%

Authorization check before delete

100%

100%

403 for unauthorized

100%

100%

RLS enabled in schema

100%

100%

RLS policy defined

100%

100%

Generic error messages

100%

100%

No secrets in code

100%

100%

Without context: $0.2250 · 1m 17s · 11 turns · 16 in / 4,869 out tokens

With context: $0.6016 · 1m 46s · 25 turns · 308 in / 6,439 out tokens

92%

8%

Community Forum with Rich Text Posts

XSS prevention and rate limiting

Criteria
Without context
With context

isomorphic-dompurify import

100%

100%

DOMPurify.sanitize called

100%

100%

ALLOWED_TAGS whitelist

100%

100%

ALLOWED_ATTR empty

0%

0%

dangerouslySetInnerHTML used

100%

100%

CSP header present

100%

100%

CSP default-src self

100%

100%

express-rate-limit used

100%

100%

General limiter window/max

50%

100%

Search limiter stricter

50%

100%

Search route applies limiter

100%

100%

isomorphic-dompurify in package.json

100%

100%

Without context: $0.3555 · 1m 20s · 21 turns · 26 in / 5,424 out tokens

With context: $0.5852 · 1m 40s · 27 turns · 32 in / 6,448 out tokens

100%

16%

User Newsletter Preferences API

Secret management and CSRF protection

Criteria
Without context
With context

No hardcoded API key

100%

100%

Env var read for API key

100%

100%

Secret existence check

100%

100%

.env files in .gitignore

100%

100%

CSRF token header check

30%

100%

403 on CSRF failure

100%

100%

Zod or schema validation

0%

100%

Boolean subscribed field validated

100%

100%

Parameterized DB query

100%

100%

Generic client error message

100%

100%

README lists env vars

100%

100%

Without context: $0.5557 · 1m 46s · 22 turns · 29 in / 6,534 out tokens

With context: $0.6080 · 1m 35s · 26 turns · 277 in / 5,923 out tokens

96%

-4%

E-Commerce Checkout Login Flow

Sensitive data logging and dependency security

Criteria
Without context
With context

No password in auth log

100%

100%

Safe auth log fields

100%

100%

No card number in payment log

100%

100%

No CVV in payment log

100%

100%

Safe payment log fields

100%

100%

Generic error to caller

100%

80%

Detailed error server-side only

100%

75%

npm ci in package.json scripts

100%

100%

npm audit in package.json scripts

100%

100%

Lock file mentioned

100%

100%

Without context: $0.5063 · 2m 11s · 29 turns · 36 in / 7,100 out tokens

With context: $0.6020 · 1m 52s · 25 turns · 276 in / 6,157 out tokens

100%

2%

Production Deployment Pipeline for a Next.js App on AWS

CI/CD pipeline security and cloud IAM

Criteria
Without context
With context

OIDC AWS auth

100%

100%

Minimum job permissions

100%

100%

Secret scanning step

100%

100%

Dependency audit step

100%

100%

RDS not publicly accessible

100%

100%

RDS deletion protection

100%

100%

S3 bucket private

100%

100%

Security group restricts DB ingress

100%

100%

IAM specific actions

100%

100%

IAM scoped resources

75%

100%

No long-term keys in workflow

100%

100%

Without context: $0.5571 · 2m 42s · 21 turns · 28 in / 9,833 out tokens

With context: $0.7157 · 2m 32s · 25 turns · 29 in / 9,508 out tokens

Evaluated
Agent
Claude Code
Model
Claude Sonnet 4.6

Table of Contents

User Registration APITeam Management Dashboard AuthenticationCommunity Forum with Rich Text PostsUser Newsletter Preferences APIE-Commerce Checkout Login FlowProduction Deployment Pipeline for a Next.js App on AWS

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.

Claim skill