CtrlK
BlogDocsLog inGet started
Tessl Logo

security-review

Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns.

69

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

77%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body is highly actionable with concrete executable examples and explicit validation checklists throughout. Its weaknesses are verbosity from duplicated checklist content and a monolithic structure with no progressive disclosure into separate reference files.

Suggestions

Move the per-category detail into reference files (e.g. references/auth.md, references/injection.md) and keep SKILL.md as a concise overview that links one level deep, improving progressive disclosure.

Reduce duplication between the per-section validation checklists and the final consolidated deployment checklist so each token earns its place.

Add explicit error-recovery feedback loops (e.g. 'if npm audit reports vulnerabilities, run npm audit fix and re-check') to strengthen workflow clarity for the dependency and deployment steps.

DimensionReasoningScore

Conciseness

Content is mostly lean code and checklists rather than concept explanations, but at ~490 lines it is verbose and duplicates material (per-category validation steps are repeated in the final consolidated deployment checklist) and could be tightened.

2 / 3

Actionability

Every section provides fully executable TypeScript/SQL/bash code with specific libraries (zod, DOMPurify, supabase, express-rate-limit) and copy-paste-ready FAIL/PASS examples.

3 / 3

Workflow Clarity

Each category pairs FAIL/PASS examples with explicit validation checkboxes, and the consolidated '部署前安全檢查清單' provides a clear ordered runbook of validation checkpoints.

3 / 3

Progressive Disclosure

The skill is a single monolithic ~490-line file with no bundle files or references; it is well-organized by section but content that could be split out is kept inline with no one-level-deep navigation.

2 / 3

Total

10

/

12

Passed

Description

90%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is strong, with explicit triggers, concrete capabilities, and a clear security niche. The main weakness is the second-person voice ('Use this skill when...'), which the rubric penalizes on specificity.

Suggestions

Rewrite in third person to avoid the voice penalty, e.g. 'Reviews code for security vulnerabilities when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment features.'

Add a few more common trigger variations users say (e.g. 'login', 'SQL injection', 'XSS', 'input validation') to broaden trigger coverage.

DimensionReasoningScore

Specificity

Lists multiple concrete actions ('adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features'), which would score 3, but the second-person voice ('Use this skill when...') triggers the rubric's voice penalty, reducing specificity by one.

2 / 3

Completeness

It explicitly states what the skill does ('Provides comprehensive security checklist and patterns') and includes an explicit 'Use this skill when...' trigger clause, answering both what and when.

3 / 3

Trigger Term Quality

Terms like 'authentication', 'user input', 'secrets', 'API endpoints', and 'payment/sensitive features' are natural phrases users would say when needing a security review, giving good coverage.

3 / 3

Distinctiveness Conflict Risk

The security-specific triggers (auth, secrets, payments, sensitive features) carve a clear niche that is unlikely to conflict with non-security skills.

3 / 3

Total

11

/

12

Passed

Validation

100%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation16 / 16 Passed

Validation for skill structure

No warnings or errors.

Repository
ysyecust/everything-claude-code
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.