senior-security
Security engineering toolkit for threat modeling, vulnerability analysis, secure architecture, and penetration testing. Includes STRIDE analysis, OWASP guidance, cryptography patterns, and security scanning tools. Use when the user asks about security reviews, threat analysis, vulnerability assessments, secure coding practices, security audits, attack surface analysis, CVE remediation, or security best practices.
90
78%
Does it follow best practices?
Impact
99%
1.06xAverage score across 6 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./engineering-team/senior-security/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that covers all evaluation dimensions well. It provides specific capabilities (STRIDE, OWASP, cryptography patterns), uses natural trigger terms that users would actually say, and includes a comprehensive 'Use when...' clause with eight distinct trigger scenarios. The security domain is well-defined and unlikely to conflict with other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions and frameworks: threat modeling, vulnerability analysis, secure architecture, penetration testing, STRIDE analysis, OWASP guidance, cryptography patterns, and security scanning tools. | 3 / 3 |
Completeness | Clearly answers both 'what' (security engineering toolkit for threat modeling, vulnerability analysis, etc.) and 'when' with an explicit 'Use when...' clause listing eight distinct trigger scenarios. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'security reviews', 'threat analysis', 'vulnerability assessments', 'secure coding practices', 'security audits', 'attack surface analysis', 'CVE remediation', 'security best practices'. These are all terms users would naturally use when seeking security help. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear security engineering niche. Terms like STRIDE, OWASP, CVE remediation, penetration testing, and attack surface analysis are specific to security and unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
57%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a comprehensive security engineering skill that covers a broad range of topics with good structural organization and progressive disclosure. Its main weaknesses are verbosity in reproducing standard security knowledge that Claude already possesses (STRIDE definitions, OWASP categories, severity matrices) and a lack of concrete, executable guidance in most workflows beyond the code review section. The skill would benefit from trimming well-known reference material and adding more specific tool commands and output examples.
Suggestions
Replace well-known reference tables (STRIDE categories, incident severity levels, security headers) with brief mentions and links to authoritative sources, since Claude already knows these standards.
Add concrete command-line examples to workflows (e.g., specific Semgrep rules, OWASP ZAP commands, nmap scan patterns) instead of just listing tool names.
Include feedback loops in workflows—e.g., after automated scanning, specify how to verify scan completeness and what to do when scans produce false positives.
Add example output formats (e.g., a sample threat model JSON structure, a vulnerability report template) to make the workflows more actionable.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably well-organized but includes substantial amounts of tabular reference material (STRIDE categories, severity matrices, tool lists, header checklists) that Claude already knows or could easily derive. The security headers checklist, STRIDE definitions, and incident severity levels are standard knowledge that don't need to be spelled out. However, the content avoids lengthy prose explanations and uses tables efficiently. | 2 / 3 |
Actionability | The skill provides some executable code examples (SQL injection, password hashing, secret scanning) which are good, but most workflows are high-level procedural checklists without concrete commands or executable steps. For example, the threat modeling, architecture, vulnerability assessment, and incident response workflows describe what to do conceptually but lack specific tool invocations, command-line examples, or concrete output formats. | 2 / 3 |
Workflow Clarity | Each workflow has numbered steps and ends with a validation checkpoint, which is good structure. However, the validation steps are summary checklists rather than actionable verification commands. There are no feedback loops (validate -> fix -> retry) for any of the workflows, and the steps remain at a high abstraction level without specifying how to verify completion of each step. | 2 / 3 |
Progressive Disclosure | The skill has a clear table of contents, well-organized sections, and appropriately references external files (threat-modeling-guide.md, security-architecture-patterns.md, cryptography-implementation.md) for deeper content. References are one level deep and clearly signaled with descriptive tables. The main document serves as an effective overview with pointers to detailed materials. | 3 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- alirezarezvani/claude-skills
- Commit
f567c61
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.