senior-security
Security engineering toolkit for threat modeling, vulnerability analysis, secure architecture, and penetration testing. Includes STRIDE analysis, OWASP guidance, cryptography patterns, and security scanning tools. Use when the user asks about security reviews, threat analysis, vulnerability assessments, secure coding practices, security audits, attack surface analysis, CVE remediation, or security best practices.
90
78%
Does it follow best practices?
Impact
99%
1.06xAverage score across 6 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./engineering-team/senior-security/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that covers all evaluation dimensions well. It provides specific capabilities (STRIDE, OWASP, cryptography patterns), uses natural trigger terms that users would actually say, and includes a comprehensive 'Use when...' clause with eight distinct trigger scenarios. The security domain is well-defined and unlikely to conflict with other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions and frameworks: threat modeling, vulnerability analysis, secure architecture, penetration testing, STRIDE analysis, OWASP guidance, cryptography patterns, and security scanning tools. | 3 / 3 |
Completeness | Clearly answers both 'what' (security engineering toolkit for threat modeling, vulnerability analysis, etc.) and 'when' with an explicit 'Use when...' clause listing eight specific trigger scenarios. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'security reviews', 'threat analysis', 'vulnerability assessments', 'secure coding practices', 'security audits', 'attack surface analysis', 'CVE remediation', 'security best practices'. These are terms users would naturally use when seeking security help. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear security engineering niche. Terms like STRIDE, OWASP, CVE remediation, penetration testing, and attack surface analysis are specific to security and unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
57%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a comprehensive security engineering skill with good structure and progressive disclosure, but it suffers from being overly broad and somewhat abstract. The workflows read more like process documentation than actionable instructions for Claude — many steps describe what to do conceptually rather than providing concrete commands or executable examples. The few code examples present (SQL injection, Argon2, secret scanning) are strong, but they're the exception rather than the rule across the skill's substantial length.
Suggestions
Add concrete, executable usage examples for the referenced scripts (threat_modeler.py, secret_scanner.py) — e.g., `python scripts/threat_modeler.py --input arch.json --output threats.json`
Move reference tables (STRIDE categories, severity matrices, security headers) to reference files and keep only the most essential ones inline to reduce token usage
Add feedback loops to workflows — e.g., in vulnerability assessment: 'If scan finds critical issues, re-scan after fix to confirm remediation before proceeding'
Replace abstract workflow steps like 'Map trust boundaries' and 'Isolate affected systems' with concrete examples or tool-specific commands where possible
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is quite long (~400 lines) and includes some content Claude already knows (e.g., what STRIDE stands for, basic definitions of severity levels, general incident response phases). The tables are useful reference material but several could be trimmed or moved to reference files. However, it avoids truly egregious over-explanation and most content adds value. | 2 / 3 |
Actionability | The skill provides some executable code examples (SQL injection, password hashing, secret scanning), which is good. However, most workflows are procedural checklists without concrete commands or executable steps — e.g., 'Isolate affected systems' and 'Map trust boundaries' are abstract instructions. The threat_modeler.py and secret_scanner.py scripts are referenced but not shown with usage examples. | 2 / 3 |
Workflow Clarity | Each workflow has numbered steps and ends with a validation checkpoint, which is good structure. However, the validation steps are summary checklists rather than actionable verification commands. There are no feedback loops (validate -> fix -> retry) — the validation lines just list what should have been done. For security-critical operations like incident response and vulnerability assessment, this lacks the explicit error recovery paths needed for a score of 3. | 2 / 3 |
Progressive Disclosure | The skill has a clear table of contents, well-organized sections, and appropriately references external files (threat-modeling-guide.md, security-architecture-patterns.md, cryptography-implementation.md) at one level deep. The main content serves as an overview with pointers to detailed references, and the related skills section provides good cross-navigation. | 3 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- alirezarezvani/claude-skills
- Commit
967fe01
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.