security-review
tessl i github:ysyecust/everything-claude-code --skill security-reviewUse this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns.
Validation
75%| Criteria | Description | Result |
|---|---|---|
description_trigger_hint | Description may be missing an explicit 'when to use' trigger hint (e.g., 'Use when...') | Warning |
metadata_version | 'metadata' field is not a dictionary | Warning |
license_field | 'license' field is missing | Warning |
body_steps | No step-by-step structure detected (no ordered list); consider adding a simple workflow | Warning |
Total | 12 / 16 Passed | |
Implementation
77%This is a strong, actionable security skill with excellent code examples and clear verification checklists. The main weakness is its length - it tries to cover everything in one file rather than using progressive disclosure to separate quick-reference patterns from detailed implementations. Some explanatory text could be trimmed since Claude understands security concepts.
Suggestions
Split detailed sections (blockchain security, CSP configuration, rate limiting implementations) into separate reference files, keeping SKILL.md as a quick-reference overview with links
Remove explanatory phrases like 'Security is not optional' and concept definitions - focus purely on patterns and checklists
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is comprehensive but includes some unnecessary explanations Claude would know (e.g., explaining what SQL injection is, basic concepts). The extensive code examples are valuable but some sections could be tightened. | 2 / 3 |
Actionability | Excellent actionability with fully executable TypeScript/SQL code examples, specific commands (npm audit, npm ci), and copy-paste ready patterns. Every security concern has concrete, working code demonstrating both wrong and right approaches. | 3 / 3 |
Workflow Clarity | Clear verification checklists after each section, explicit pre-deployment checklist, and security testing examples with expected outcomes. The structure guides through each security domain with clear validation steps. | 3 / 3 |
Progressive Disclosure | Content is well-organized with clear sections, but the file is monolithic (~400 lines). Some sections like blockchain security or detailed CSP configuration could be split into separate reference files. External resources are linked but internal content isn't layered. | 2 / 3 |
Total | 10 / 12 Passed |
Activation
82%This description has strong completeness with an explicit 'Use this skill when...' clause and good trigger term coverage for security-related tasks. However, it lacks specificity about concrete actions (what exactly does the checklist cover? what patterns are provided?) and could potentially conflict with API or authentication-specific skills.
Suggestions
Add specific concrete actions like 'validates input sanitization, reviews authentication flows, checks for injection vulnerabilities, audits secret management'
Differentiate from potential API or auth skills by emphasizing the security audit/review aspect more explicitly
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (security) and lists several areas (authentication, user input, secrets, API endpoints, payment features), but lacks concrete actions - 'Provides comprehensive security checklist and patterns' is vague about what specific actions are performed. | 2 / 3 |
Completeness | Explicitly answers both what ('Provides comprehensive security checklist and patterns') and when ('Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features'). | 3 / 3 |
Trigger Term Quality | Good coverage of natural terms users would say: 'authentication', 'user input', 'secrets', 'API endpoints', 'payment', 'sensitive features' are all terms developers naturally use when discussing security concerns. | 3 / 3 |
Distinctiveness Conflict Risk | While security-focused, terms like 'API endpoints' and 'user input' could overlap with general API development or form handling skills. The security niche is clear but boundaries with adjacent skills could be sharper. | 2 / 3 |
Total | 10 / 12 Passed |
Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.