senior-secops
tessl i github:alirezarezvani/claude-skills --skill senior-secopsComprehensive SecOps skill for application security, vulnerability management, compliance, and secure development practices. Includes security scanning, vulnerability assessment, compliance checking, and security automation. Use when implementing security controls, conducting security audits, responding to vulnerabilities, or ensuring compliance requirements.
Activation
67%The description provides a solid foundation with explicit 'what' and 'when' clauses, earning full marks for completeness. However, it suffers from being too broad and category-level rather than listing concrete, specific actions. The trigger terms are adequate but could benefit from more natural user language variations and specific security terminology users commonly use.
Suggestions
Add more specific concrete actions like 'run SAST/DAST scans', 'generate CVE remediation reports', 'check OWASP Top 10 compliance', 'review security configurations'
Include common user trigger terms like 'CVE', 'penetration test', 'OWASP', 'security review', 'hardening', 'SOC2', 'PCI-DSS' that users naturally say when needing security help
Consider narrowing scope or clarifying boundaries to reduce potential conflicts with other security-related skills
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (SecOps, application security) and lists some actions (security scanning, vulnerability assessment, compliance checking, security automation), but these are category-level rather than concrete specific actions like 'run SAST scans' or 'generate CVE reports'. | 2 / 3 |
Completeness | Clearly answers both what (security scanning, vulnerability assessment, compliance checking, security automation) and when with explicit 'Use when...' clause covering implementing security controls, conducting audits, responding to vulnerabilities, and ensuring compliance. | 3 / 3 |
Trigger Term Quality | Includes relevant keywords like 'security scanning', 'vulnerability', 'compliance', 'security audits', but misses common user variations like 'CVE', 'penetration testing', 'OWASP', 'security review', 'hardening', or specific tool names users might mention. | 2 / 3 |
Distinctiveness Conflict Risk | While security-focused, the broad scope ('comprehensive SecOps skill') could overlap with more specific security skills (e.g., a dedicated compliance skill, a vulnerability scanning skill, or a secure coding skill). The description covers too many domains without clear boundaries. | 2 / 3 |
Total | 9 / 12 Passed |
Implementation
7%This skill is a generic template with placeholder content that provides almost no actionable SecOps guidance. It lists tools and references without explaining how to actually perform security scanning, vulnerability assessment, or compliance checking. The content reads like marketing copy rather than operational instructions for Claude.
Suggestions
Replace generic script descriptions with actual security-specific examples showing input/output (e.g., 'python scripts/security_scanner.py --target ./src --rules owasp-top-10' with sample output showing found vulnerabilities)
Add concrete security workflows with validation steps, such as: 1) Run scan, 2) Triage findings by severity, 3) Verify false positives, 4) Generate remediation tickets
Remove the generic 'Best Practices Summary' and 'Tech Stack' sections - Claude knows these concepts. Replace with security-specific decision trees (e.g., 'If CVE severity is Critical AND exploitable: immediate patch required')
Provide actual examples of security findings and how to respond to them, including specific commands for common vulnerability types (SQL injection, XSS, dependency vulnerabilities)
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose with generic placeholder content that adds no value. Lists obvious best practices Claude already knows ('Write clear code', 'Validate all inputs'), includes a massive tech stack list irrelevant to the skill's purpose, and repeats the same reference file links multiple times. | 1 / 3 |
Actionability | Provides no concrete, executable guidance. Script commands use vague placeholders like '[options]' and '[arguments]' without explaining what they do. Feature lists are generic marketing speak ('Deep analysis', 'Expert-level automation') with no actual security-specific instructions or examples. | 1 / 3 |
Workflow Clarity | No clear security workflow is defined. For a SecOps skill involving vulnerability management and compliance, there are no validation checkpoints, no incident response sequences, no feedback loops for security findings. The 'Development Workflow' section is generic setup steps unrelated to security operations. | 1 / 3 |
Progressive Disclosure | References external documentation files appropriately (references/*.md), but the main content is bloated with generic information that should either be removed or moved to reference files. The structure exists but content organization is poor. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
81%| Criteria | Description | Result |
|---|---|---|
metadata_version | 'metadata' field is not a dictionary | Warning |
license_field | 'license' field is missing | Warning |
body_steps | No step-by-step structure detected (no ordered list); consider adding a simple workflow | Warning |
Total | 13 / 16 Passed | |
Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.