ai-security-verification
Comprehensive AI security verification using OWASP AI Security Verification Standard (AISVS) framework. Provides structured checklist to verify security and ethical considerations across 13 categories of AI-driven applications, from training data governance to human oversight.
57
36%
Does it follow best practices?
Impact
98%
1.06xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./.claude/skills/ai-security-verification/SKILL.mdQuality
Discovery
57%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description identifies a clear and distinctive niche (OWASP AISVS-based AI security verification) but falls short on completeness by lacking an explicit 'Use when...' clause. It provides moderate specificity by referencing the framework and category examples but could list more concrete actions. Trigger terms are relevant but miss common user-facing synonyms.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about AI security audits, AI risk assessments, OWASP AISVS compliance, or verifying security of machine learning systems.'
Include additional natural trigger terms users might say, such as 'AI safety', 'ML security', 'model security audit', 'responsible AI', 'AI compliance', or 'AI risk assessment'.
List more concrete actions beyond 'provides structured checklist', e.g., 'Evaluates training data governance, assesses model robustness, reviews human oversight controls, checks for adversarial attack resilience.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (AI security verification) and references a specific framework (OWASP AISVS), mentions '13 categories' and gives examples like 'training data governance' and 'human oversight', but doesn't list multiple concrete actions beyond 'provides structured checklist to verify'. | 2 / 3 |
Completeness | The 'what' is reasonably covered (structured checklist for AI security verification using OWASP AISVS), but there is no explicit 'Use when...' clause or equivalent trigger guidance telling Claude when to select this skill. | 2 / 3 |
Trigger Term Quality | Includes relevant terms like 'OWASP', 'AISVS', 'AI security', 'training data governance', 'human oversight', but misses common user-facing variations like 'AI safety', 'model security audit', 'ML security', 'responsible AI', or 'AI risk assessment' that users might naturally say. | 2 / 3 |
Distinctiveness Conflict Risk | The description is highly specific to the OWASP AISVS framework for AI security verification, which is a clear niche unlikely to conflict with other skills. The combination of 'OWASP AISVS' and '13 categories' makes it very distinct. | 3 / 3 |
Total | 9 / 12 Passed |
Implementation
14%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads as a high-level outline or table of contents rather than actionable instructions. It names 13 security verification categories but provides no concrete guidance on how to perform any of them—no checklists, no specific questions, no pass/fail criteria, no tools, and no examples. The referenced template file doesn't exist in the bundle, and the complexity of the topic demands significantly more supporting material.
Suggestions
Add concrete, actionable checklists for each of the 13 categories with specific questions to answer, criteria to evaluate, and pass/fail thresholds (e.g., 'Verify that all training data sources have documented provenance records — check for X, Y, Z').
Provide the referenced `templates/finding.md` file and create supporting detail files for each category to enable progressive disclosure (e.g., `categories/01-training-data.md` with detailed verification steps).
Include at least one worked example showing what a complete finding looks like for one category, demonstrating the expected depth and format of the assessment output.
Add validation checkpoints and a workflow for the overall assessment process (e.g., 'Complete categories 1-5 first as they are prerequisites; validate findings with stakeholders before proceeding to categories 6-13').
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is moderately efficient but includes some unnecessary elaboration in the category descriptions (e.g., listing sub-topics like 'provenance, bias detection, and governance controls' for each of the 13 categories adds bulk without actionable specificity). The descriptions read more like a table of contents than instructions. | 2 / 3 |
Actionability | The skill provides no concrete guidance on how to actually perform any of the 13 verification steps. There are no specific commands, code, checklists, questions to ask, tools to use, or criteria to evaluate against—just abstract category descriptions like 'Assess data quality' and 'Evaluate input sanitization' without explaining what that means in practice. | 1 / 3 |
Workflow Clarity | While the 13 categories are numbered, there is no actual workflow—no sequencing rationale, no validation checkpoints, no feedback loops, and no guidance on how to proceed through the assessment. Each step is essentially 'assess X' with no indication of how to assess it, what constitutes a pass/fail, or what to do with findings. | 1 / 3 |
Progressive Disclosure | The skill references `templates/finding.md` but no bundle files are provided, making this a dead reference. There are no supporting files for any of the 13 categories despite each being complex enough to warrant detailed sub-documents with specific checklists, criteria, and examples. The OWASP references section lists documents without links or actionable pointers. | 1 / 3 |
Total | 5 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
Total | 10 / 11 Passed | |
- Repository
- OWASP/secure-agent-playbook
- Commit
79fea6b
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.