security-review
Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns.
91
62%
Does it follow best practices?
Impact
97%
1.07xAverage score across 9 eval scenarios
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./docs/zh-TW/skills/security-review/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description has good trigger term coverage and explicitly addresses both 'what' and 'when', making it functional for skill selection. However, the 'what' portion is vague ('comprehensive security checklist and patterns') and could be more specific about concrete actions. The description also uses second person voice ('Use this skill') which is acceptable per the rubric's 'Use when...' pattern, but the broad scope creates some overlap risk with other development skills.
Suggestions
Replace 'Provides comprehensive security checklist and patterns' with specific actions like 'Validates input sanitization, enforces CSRF protection, configures secret management, and audits authentication flows'.
Narrow the distinctiveness by adding a qualifier like 'security-focused review' to differentiate from general API or authentication skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names several domains (authentication, secrets, API endpoints, payment) but describes the output vaguely as 'comprehensive security checklist and patterns' without listing specific concrete actions like 'validate input against injection attacks' or 'implement CSRF token verification'. | 2 / 3 |
Completeness | Explicitly answers both 'when' ('Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features') and 'what' ('Provides comprehensive security checklist and patterns'), though the 'what' portion is less detailed. | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms users would actually say: 'authentication', 'user input', 'secrets', 'API endpoints', 'payment', and 'sensitive features'. These cover a good range of security-related scenarios users would naturally mention. | 3 / 3 |
Distinctiveness Conflict Risk | The security focus provides some distinctiveness, but terms like 'authentication', 'API endpoints', and 'user input' could overlap with general web development, API design, or authentication-specific skills. The broad scope increases conflict risk. | 2 / 3 |
Total | 10 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill is highly actionable with excellent concrete code examples and anti-patterns, but it is far too verbose for a SKILL.md file—it explains fundamental security concepts Claude already knows well and packs everything into a single monolithic document. The content would benefit enormously from being condensed to a concise overview with references to detailed sub-files, and from removing explanations of basic security concepts in favor of project-specific patterns only.
Suggestions
Reduce the body to a concise overview (~50-80 lines) with a summary checklist and quick-reference patterns, moving detailed sections (XSS, CSRF, Solana, rate limiting, etc.) into separate referenced files like SECURITY-AUTH.md, SECURITY-INPUT.md, etc.
Remove explanations of well-known security concepts (what SQL injection is, what XSS is) and keep only the project-specific code patterns and checklists—Claude already understands these attack vectors.
Add a clear workflow sequence: e.g., 'During development: run checklist items 1-5 → Before PR: run npm audit + security tests → Before deploy: complete full checklist' with explicit validation/feedback loops.
Trim redundant verification step checklists that repeat the same points across sections and consolidate into the single deployment checklist at the end.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | This is extremely verbose at ~400+ lines. It explains well-known security concepts (SQL injection, XSS, CSRF) that Claude already understands deeply. The explanations of what these attacks are and why they matter are unnecessary token waste. Much of this could be condensed to a checklist with code patterns only for project-specific conventions. | 1 / 3 |
Actionability | Every section provides concrete, executable TypeScript/SQL code examples with clear do/don't patterns. The code is copy-paste ready with real libraries (zod, DOMPurify, express-rate-limit) and includes complete error handling. | 3 / 3 |
Workflow Clarity | Each section has verification checklists which is good, and there's a deployment checklist at the end. However, there's no clear sequencing of when to apply these checks in a development workflow, no feedback loops for when checks fail, and no prioritization guidance. The sections are presented as a flat list rather than a sequenced process. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of content with 10 major sections all inline. The Solana blockchain security, CSRF protection, dependency security, and security testing sections could easily be separate referenced files. The external resource links at the bottom are helpful but the body content itself desperately needs splitting. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- ysyecust/everything-claude-code
- Commit
79cc4e3
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.