mtls-configuration
Configure mutual TLS (mTLS) for zero-trust service-to-service communication. Use when implementing zero-trust networking, certificate management, or securing internal service communication.
73
59%
Does it follow best practices?
Impact
97%
1.02xAverage score across 3 eval scenarios
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./tests/ext_conformance/artifacts/agents-wshobson/cloud-infrastructure/skills/mtls-configuration/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a solid description with a clear 'Use when' clause and good trigger term coverage for its niche domain. Its main weakness is that the 'what' portion could be more specific about the concrete actions performed (e.g., generating CA certificates, configuring TLS termination, rotating certificates). Overall it performs well for skill selection purposes.
Suggestions
Expand the capability list with more specific concrete actions, e.g., 'Generates CA certificates, configures certificate rotation, sets up TLS termination, and validates mTLS handshakes' to improve specificity.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (mTLS, zero-trust, service-to-service communication) and a few actions (configure, certificate management, securing), but doesn't list multiple specific concrete actions like generating certificates, configuring certificate authorities, setting up certificate rotation, or validating mTLS handshakes. | 2 / 3 |
Completeness | Clearly answers both 'what' (configure mutual TLS for zero-trust service-to-service communication) and 'when' (explicit 'Use when' clause covering zero-trust networking, certificate management, or securing internal service communication). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'mTLS', 'mutual TLS', 'zero-trust', 'certificate management', 'service-to-service communication', 'internal service communication'. These cover the main terms a user would naturally use when needing this skill. | 3 / 3 |
Distinctiveness Conflict Risk | The description targets a very specific niche—mTLS and zero-trust networking—with distinct trigger terms like 'mTLS', 'mutual TLS', and 'zero-trust' that are unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
29%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides excellent concrete, executable YAML templates and debugging commands, but suffers from being a monolithic reference dump rather than a structured guide. It lacks a clear implementation workflow with validation steps, and includes significant content Claude already knows (mTLS flow diagrams, certificate hierarchy concepts). The file would benefit greatly from being split into a concise overview with references to detailed template files.
Suggestions
Add a clear step-by-step implementation workflow (e.g., 1. Apply PERMISSIVE → 2. Verify traffic → 3. Switch to STRICT → 4. Validate mTLS active) with explicit validation checkpoints between steps.
Move the SPIFFE/SPIRE, Linkerd, and cert-manager templates into separate bundle files (e.g., SPIRE.md, LINKERD.md, CERT-MANAGER.md) and reference them from the main skill.
Remove the 'Core Concepts' section (mTLS flow diagram, certificate hierarchy) — Claude already understands these concepts and they consume significant tokens.
Remove the 'When to Use This Skill' and 'Resources' sections, which add no actionable guidance for Claude.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~250+ lines. The ASCII diagrams of mTLS flow and certificate hierarchy explain concepts Claude already knows. The 'When to Use This Skill' section, 'Core Concepts', and 'Resources' sections add little actionable value. Multiple full YAML templates (SPIFFE/SPIRE, Linkerd) bloat the file when they could be in separate reference files. | 1 / 3 |
Actionability | The templates are concrete, copy-paste ready YAML configurations with real API versions and field values. The debugging section provides specific, executable CLI commands. Certificate rotation commands are fully specified with proper tool chains (istioctl, openssl, jq). | 3 / 3 |
Workflow Clarity | There is no clear sequenced workflow for implementing mTLS end-to-end. Templates are presented as isolated blocks without a step-by-step process. There are no validation checkpoints between steps (e.g., verify mTLS is working after applying PeerAuthentication before proceeding to STRICT mode). The 'Start with PERMISSIVE' best practice hints at a migration workflow but never defines it. | 1 / 3 |
Progressive Disclosure | Everything is crammed into a single monolithic file with no bundle files. The SPIFFE/SPIRE configuration, Linkerd templates, and cert-manager setup could each be separate reference files. The document reads as a wall of YAML with minimal navigation structure between sections. | 1 / 3 |
Total | 6 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- Dicklesworthstone/pi_agent_rust
- Commit
99da384
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.