security-scan
AgentShield を使用して、Claude Code の設定(.claude/ ディレクトリ)のセキュリティ脆弱性、設定ミス、インジェクションリスクをスキャンします。CLAUDE.md、settings.json、MCP サーバー、フック、エージェント定義をチェックします。
82
73%
Does it follow best practices?
Impact
97%
2.25xAverage score across 3 eval scenarios
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./docs/ja-JP/skills/security-scan/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong description that clearly identifies specific capabilities (security scanning of Claude Code configurations) and concrete targets (CLAUDE.md, settings.json, MCP servers, hooks, agent definitions). Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. The description is distinctive and uses natural trigger terms effectively.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks to audit, scan, or review Claude Code configuration security, or mentions AgentShield, .claude/ directory security, or MCP server safety.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: scanning security vulnerabilities, configuration errors, and injection risks. Also specifies concrete targets: CLAUDE.md, settings.json, MCP servers, hooks, and agent definitions. | 3 / 3 |
Completeness | Clearly answers 'what does this do' (scans Claude Code configuration for security vulnerabilities, misconfigurations, and injection risks), but lacks an explicit 'Use when...' clause or equivalent trigger guidance for when Claude should select this skill. | 2 / 3 |
Trigger Term Quality | Includes strong natural trigger terms that users would say: 'AgentShield', 'セキュリティ脆弱性' (security vulnerabilities), '設定ミス' (misconfiguration), 'インジェクションリスク' (injection risk), '.claude/', 'CLAUDE.md', 'settings.json', 'MCP サーバー', 'フック' (hooks). Good coverage of relevant terms. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive - focuses specifically on security scanning of Claude Code's .claude/ directory configuration. The combination of AgentShield, Claude Code settings, and security scanning creates a very clear niche unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides excellent actionable guidance with concrete, executable commands for every AgentShield operation. However, it's somewhat verbose for a skill file — the findings interpretation and severity tables add bulk that could be referenced externally. The biggest gap is the lack of an explicit scan-fix-verify workflow with validation checkpoints, especially important given the --fix flag modifies configuration files.
Suggestions
Add an explicit end-to-end workflow section with validation: scan → review → fix → re-scan to confirm grade improvement, especially for the --fix auto-remediation path.
Move the detailed 'Results Interpretation' and severity grading sections to a separate REFERENCE.md file and link to it, keeping the main skill focused on commands and workflow.
Remove the '起動タイミング' section — Claude can infer when to run security scans without being told explicitly.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably efficient but includes some content that could be tightened — the '起動タイミング' section lists obvious triggers Claude could infer, the severity grading table and detailed findings interpretation sections are somewhat verbose. The scan target table and command examples are well-structured though. | 2 / 3 |
Actionability | Provides fully executable, copy-paste ready commands for every operation — scanning, output formats, auto-fix, deep analysis, init, and CI integration. The GitHub Action YAML snippet and all CLI commands are concrete and immediately usable. | 3 / 3 |
Workflow Clarity | While individual commands are clear, there's no explicit end-to-end workflow with validation checkpoints. For a security scanning tool that can auto-fix files (--fix), there should be a clear sequence like: scan → review findings → fix → re-scan to verify. The auto-fix section lacks a re-validation step after applying fixes. | 2 / 3 |
Progressive Disclosure | Content is well-organized with clear sections and tables, but the document is quite long (~130 lines of content) with detailed findings interpretation that could be split into a separate reference file. The severity levels and findings interpretation sections could be linked out to keep the main skill leaner. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- affaan-m/everything-claude-code
- Commit
5df943e
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.