security-scan

AgentShield を使用して、Claude Code の設定（.claude/ ディレクトリ）のセキュリティ脆弱性、設定ミス、インジェクションリスクをスキャンします。CLAUDE.md、settings.json、MCP サーバー、フック、エージェント定義をチェックします。

2.25x

Quality

73%

Does it follow best practices?

Impact

97%

2.25x

Average score across 3 eval scenarios

Securityby

Advisory

Suggest reviewing before use

Optimize this skill with Tessl

npx tessl skill review --optimize ./docs/ja-JP/skills/security-scan/SKILL.md

Quality

Content

64%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This skill provides strong actionable guidance with executable commands covering all major AgentShield features. However, it's somewhat verbose for a skill file—the 'when to scan' triggers and detailed findings interpretation inflate the token cost without adding proportional value. The biggest gap is the lack of an explicit scan-fix-verify workflow, especially important given the --fix flag modifies configuration files.

Suggestions

Add an explicit end-to-end workflow: scan → review findings → apply --fix → re-scan to verify fixes were effective, especially since --fix modifies files.

Remove or significantly trim the '起動タイミング' section—Claude can infer when security scanning is appropriate from context.

Move the detailed '結果の解釈' findings breakdown into a separate reference file (e.g., FINDINGS_GUIDE.md) and link to it from the main skill.

Dimension	Reasoning	Score
Conciseness	The skill is mostly efficient with good table-based summaries, but includes some unnecessary content like the '起動タイミング' section (Claude can infer when to run a security scan) and the detailed explanation of what --fix does. The severity grading table and findings interpretation sections add bulk that could be trimmed.	2 / 3
Actionability	Provides fully executable, copy-paste ready commands for every operation: scanning, output formats, auto-fix, deep analysis, init, and CI integration. The GitHub Action YAML snippet and all CLI commands are concrete and immediately usable.	3 / 3
Workflow Clarity	The skill presents individual commands clearly but lacks an explicit end-to-end workflow with validation checkpoints. For a security scanning tool that can auto-fix files (a potentially destructive operation), there's no feedback loop like 'scan → review findings → fix → re-scan to verify.' The --fix command is presented without a verification step afterward.	2 / 3
Progressive Disclosure	Content is well-structured with clear headers and tables, but everything is inline in a single file that runs quite long. The detailed findings interpretation section and severity grading could be split into a reference file. No bundle files are provided to offload content, and no references to supplementary files exist.	2 / 3
	Total	9 / 12 Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a strong description with excellent specificity and distinctiveness, clearly naming the tool (AgentShield), the target domain (Claude Code configuration security), and the specific files/components it checks. The main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill over others.

Suggestions

Add an explicit 'Use when...' clause, e.g., 'Use when the user asks to audit, scan, or review the security of their Claude Code configuration, .claude/ directory, or MCP server setup.'

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions: scanning security vulnerabilities, configuration errors, and injection risks. Also specifies concrete targets: CLAUDE.md, settings.json, MCP servers, hooks, and agent definitions.	3 / 3
Completeness	Clearly answers 'what does this do' (scan Claude Code configuration for security vulnerabilities, misconfigurations, injection risks) but lacks an explicit 'Use when...' clause or equivalent trigger guidance for when Claude should select this skill.	2 / 3
Trigger Term Quality	Includes strong natural trigger terms that users would say: 'AgentShield', 'セキュリティ脆弱性' (security vulnerabilities), '設定ミス' (misconfiguration), 'インジェクションリスク' (injection risk), '.claude/', 'CLAUDE.md', 'settings.json', 'MCP サーバー', 'フック' (hooks). Good coverage of relevant terms.	3 / 3
Distinctiveness Conflict Risk	Highly distinctive - targets a very specific niche (security scanning of Claude Code's .claude/ directory configuration). The combination of AgentShield, Claude Code settings, and specific file types like CLAUDE.md makes it unlikely to conflict with other skills.	3 / 3
	Total	11 / 12 Passed

Validation

100%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 11 / 11 Passed

Validation for skill structure

No warnings or errors.

Repository: affaan-m/everything-claude-code
Commit: ec92b52

Reviewed: 3 days ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.