security-scan
AgentShield を使用して、Claude Code の設定(.claude/ ディレクトリ)のセキュリティ脆弱性、設定ミス、インジェクションリスクをスキャンします。CLAUDE.md、settings.json、MCP サーバー、フック、エージェント定義をチェックします。
82
73%
Does it follow best practices?
Impact
97%
2.25xAverage score across 3 eval scenarios
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./docs/ja-JP/skills/security-scan/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong description that clearly identifies specific capabilities (security scanning of Claude Code configurations) and lists concrete targets (CLAUDE.md, settings.json, MCP servers, hooks, agent definitions). Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. The description is well-focused on a distinct niche with good trigger terms.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks to audit, review, or secure their Claude Code configuration, or mentions security concerns about .claude/ files, MCP servers, or prompt injection risks.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: scanning security vulnerabilities, configuration mistakes, injection risks, and checking specific files/components (CLAUDE.md, settings.json, MCP servers, hooks, agent definitions). | 3 / 3 |
Completeness | Clearly answers 'what does this do' (scans for security vulnerabilities, misconfigurations, injection risks in Claude Code settings) but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes strong natural trigger terms: 'AgentShield', 'セキュリティ脆弱性' (security vulnerabilities), '設定ミス' (misconfiguration), 'インジェクションリスク' (injection risk), '.claude/', 'CLAUDE.md', 'settings.json', 'MCP サーバー', 'フック', 'エージェント定義'. These are terms users would naturally use when concerned about Claude Code configuration security. | 3 / 3 |
Distinctiveness Conflict Risk | Very distinct niche: specifically targets Claude Code configuration security scanning with AgentShield. The combination of security scanning + Claude Code .claude/ directory configuration is highly specific and unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides strong actionability with concrete, executable commands covering all major use cases of AgentShield. Its main weaknesses are the lack of an explicit end-to-end workflow with validation steps (especially important given the --fix flag modifies configuration files) and some verbosity in explanatory sections that could be trimmed or moved to reference files. The content is well-organized but could benefit from a clearer sequential workflow and better progressive disclosure.
Suggestions
Add an explicit end-to-end workflow section: scan → review findings → apply fixes → re-scan to validate → commit, with a checkpoint after --fix to verify no regressions.
Trim or move the '結果の解釈' section and severity grading table to a separate reference file to reduce the main skill's token footprint.
Remove the '起動タイミング' section—Claude can infer when to run a security scan without being told.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably well-structured but includes some content that could be trimmed—the 'スキャン対象' table, the detailed severity grading table, and the extensive '結果の解釈' section add bulk. The '起動タイミング' section explains when to use the tool, which is somewhat unnecessary context. However, most content is practical and not overly verbose. | 2 / 3 |
Actionability | The skill provides fully executable, copy-paste ready commands for every operation: scanning, output formatting, auto-fix, deep analysis, initialization, and CI integration. The GitHub Action YAML snippet and all CLI commands are concrete and specific. | 3 / 3 |
Workflow Clarity | While individual commands are clear, there's no explicit end-to-end workflow with validation checkpoints. For a security scanning tool that can auto-fix files (--fix), there should be a clear sequence like: scan → review findings → fix → re-scan to verify. The --fix command modifies files but there's no guidance to validate results afterward. | 2 / 3 |
Progressive Disclosure | The content is well-organized with clear sections and tables, but it's a monolithic document with no references to supporting files. The '結果の解釈' section and severity details could be split into a reference file. Links to GitHub/npm are provided but no bundle files support progressive disclosure. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- affaan-m/everything-claude-code
- Commit
841beea
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.