tdg-personal/security-review
Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns.
69
69%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description has strong trigger term coverage and good completeness with an explicit 'Use when' clause covering multiple scenarios. However, the 'what it does' portion is vague ('provides comprehensive security checklist and patterns') rather than listing concrete actions, and the broad scope creates moderate overlap risk with other development-related skills. The description also uses second person voice ('Use this skill') which is borderline but acceptable as trigger guidance rather than capability description.
Suggestions
Replace 'Provides comprehensive security checklist and patterns' with specific actions like 'Reviews code for injection vulnerabilities, enforces secret rotation policies, validates authentication flows, and applies OWASP security patterns'.
Narrow the scope or add distinguishing qualifiers to reduce overlap with general API or authentication skills — e.g., 'security review and hardening' rather than 'creating API endpoints'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (security) and lists several areas (authentication, secrets, API endpoints, payment features), but the actual actions are vague — 'Provides comprehensive security checklist and patterns' doesn't describe concrete actions like 'validates input against injection attacks' or 'encrypts secrets at rest'. | 2 / 3 |
Completeness | Explicitly answers both 'when' ('Use this skill when adding authentication, handling user input, working with secrets...') and 'what' ('Provides comprehensive security checklist and patterns'). The 'Use when' clause is present and detailed with multiple trigger scenarios. | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms users would actually say: 'authentication', 'user input', 'secrets', 'API endpoints', 'payment', 'sensitive features'. These cover a good range of security-related queries. | 3 / 3 |
Distinctiveness Conflict Risk | While the security focus is somewhat distinct, terms like 'handling user input', 'creating API endpoints', and 'authentication' could easily overlap with general web development, API design, or authentication-specific skills. The scope is broad enough to risk false triggers. | 2 / 3 |
Total | 10 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides comprehensive, actionable security guidance with excellent executable code examples across many domains. However, it is far too verbose for a skill file — it explains fundamental security concepts Claude already knows, and all content is crammed into a single monolithic file rather than being split into focused reference documents. The checklist approach is useful but lacks a clear sequential workflow with feedback loops for performing an actual security review.
Suggestions
Drastically reduce content to a concise overview with the pre-deployment checklist and brief pattern reminders, moving detailed code examples for each category into separate reference files (e.g., INPUT_VALIDATION.md, AUTH.md, XSS.md).
Remove explanations of concepts Claude already knows (what SQL injection is, why you shouldn't log passwords, etc.) and keep only the project-specific patterns and tool choices.
Add a clear sequential workflow for performing a security review: e.g., 1) scan for hardcoded secrets, 2) audit input validation, 3) check auth patterns → with explicit 'if issues found, fix and re-review' feedback loops.
Remove the blockchain/Solana section unless this is a blockchain-specific project — it adds significant length for a niche use case that could be a separate skill.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~400+ lines. It explains well-known security concepts (SQL injection, XSS, CSRF) that Claude already understands deeply. Much of this content is textbook security knowledge that doesn't need to be spelled out — e.g., explaining what SQL injection is, showing basic parameterized queries, or explaining why you shouldn't log passwords. The FAIL/PASS pattern is repeated extensively with obvious examples. | 1 / 3 |
Actionability | Every section provides concrete, executable TypeScript/SQL/bash code examples that are copy-paste ready. The code is complete with imports, error handling, and realistic patterns using specific libraries (zod, DOMPurify, Supabase, express-rate-limit). | 3 / 3 |
Workflow Clarity | The checklist structure is clear and each section has verification steps, but there's no sequenced workflow for how to actually perform a security review. The pre-deployment checklist is useful but lacks a feedback loop — no guidance on what to do when a check fails, how to prioritize fixes, or when to re-validate after changes. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of text with all content inline. The 10 security categories, each with full code examples, verification steps, and explanations, should be split into separate reference files. The SKILL.md should be a concise overview pointing to detailed guides per topic (e.g., AUTH.md, INPUT_VALIDATION.md, etc.). | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
Reviewed
Table of Contents