askill
severity

severitySafety 100Repository

Severity classification for findings in code reviews, security audits, and quality assessments. Preload on agents that produce review findings to ensure consistent severity ratings.

severitylklimek
0 stars
1.2k downloads
Updated 3/18/2026

Package Files

Loading files...
SKILL.md

Severity Classification

Use these levels when rating findings in reviews, audits, and assessments.

Inspired by CVSS v4.0 qualitative ratings and OWASP Risk Rating, adapted for general code review findings beyond pure security.

Levels

CRITICAL — Must fix before merge. Exploitable vulnerability, data loss, correctness bug causing wrong results, or system breakage. Production incident if deployed. CVSS equivalent: 9.0-10.0. Examples: RCE, SQL injection, data breach, silent data corruption.

HIGH — Should fix before merge. Significant risk or correctness issue that will likely cause problems. Workaround may exist but is not acceptable long-term. CVSS equivalent: 7.0-8.9. Examples: privilege escalation, race condition causing data loss, broken authentication, missing input validation on untrusted data.

MEDIUM — Fix before production. Real issue that requires additional factors to manifest, or a design flaw that increases future risk. Acceptable to merge with a tracked follow-up. CVSS equivalent: 4.0-6.9. Examples: information disclosure, missing rate limiting, code duplication creating maintenance risk, error handling that swallows context.

LOW — Improvement recommended. Minor issue, defense in depth, code hygiene, or deviation from best practices. No immediate risk but worth addressing. CVSS equivalent: 0.1-3.9. Examples: non-idiomatic code, missing documentation, inconsistent naming, suboptimal algorithm for current scale.

INFO — Positive observation. Something done well, a good pattern worth noting, or context that helps readers understand the codebase. No action required. CVSS equivalent: None (0.0). Examples: well-structured error handling, good test coverage, clean separation of concerns, effective use of type system.

Scale

CRITICAL > HIGH > MEDIUM > LOW > INFO

Rules

  • Everything that may require action must be LOW or higher
  • INFO is exclusively for praise and context — never for suggestions or improvements
  • When in doubt between two levels, choose the higher one
  • Severity reflects impact and likelihood, not effort to fix
  • A trivial one-line fix can still be CRITICAL if the impact is severe

Install

Download ZIP
Requires askill CLI v1.0+

AI Quality Score

92/100Analyzed 3/2/2026

Well-structured severity classification system with clear definitions, CVSS equivalents, and practical examples. Located in dedicated skills folder with useful tags. Provides actionable guidance for rating findings in code reviews and security audits. Based on industry standards (CVSS, OWASP) making it broadly applicable.

100
95
95
90
85

Metadata

Licenseunknown
Version-
Updated3/18/2026
Publisherlklimek

Tags

databasesecuritytesting