secure
Threat modeling and risk audit for code changes and system designs. Walk the new attack surface, identify specific threats grounded in the change, propose security tests. Adversarial about assumptions, specific about risks.
52
60%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./deliver/skills/secure/SKILL.mdQuality
Discovery
57%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description establishes a clear security-focused niche with reasonable specificity about its adversarial threat-modeling purpose. However, it lacks an explicit 'Use when...' clause, which weakens its ability to serve as a reliable trigger for skill selection. Adding explicit trigger conditions and more natural user-facing keywords would significantly improve its effectiveness.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks for a security review, threat model, risk assessment, or vulnerability analysis of code changes or architecture designs.'
Include more natural trigger terms users would say, such as 'security review', 'vulnerability', 'STRIDE', 'OWASP', 'pen test', 'security concerns', or 'is this secure'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (threat modeling, risk audit) and some actions (walk attack surface, identify threats, propose security tests), but the actions are somewhat general and not as concrete as listing specific deliverables like 'generate STRIDE analysis, create threat matrix, write fuzzing test cases'. | 2 / 3 |
Completeness | The 'what' is reasonably covered (threat modeling, identifying threats, proposing security tests), but there is no explicit 'Use when...' clause or equivalent trigger guidance. The 'when' is only implied through the mention of 'code changes and system designs'. Per rubric guidelines, missing explicit trigger guidance caps this at 2. | 2 / 3 |
Trigger Term Quality | Includes relevant terms like 'threat modeling', 'risk audit', 'attack surface', 'security tests', but misses common user-facing variations like 'security review', 'vulnerability assessment', 'pen test', 'CVE', 'OWASP', or 'security audit'. A user might say 'review this for security issues' and the description doesn't clearly cover that phrasing. | 2 / 3 |
Distinctiveness Conflict Risk | The description carves out a clear niche around security threat modeling and adversarial risk analysis for code changes, which is distinct enough from general code review, testing, or other security skills. The combination of 'threat modeling', 'attack surface', and 'adversarial about assumptions' creates a well-defined identity. | 3 / 3 |
Total | 9 / 12 Passed |
Implementation
62%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured threat modeling skill with a clear three-step workflow and strong emphasis on specificity over generic security checklists. Its main weakness is the lack of concrete examples — a sample threat model output or annotated diff analysis would significantly improve actionability. The content is reasonably concise but has room for tightening, particularly in the failure modes and exclusions sections.
Suggestions
Add a concrete example: show a small diff snippet and the resulting threat model output (specific threat, severity, mitigation, proposed test) to make the skill fully actionable.
Consider moving the 'Failure Modes' section to a separate reference file to reduce inline length and improve progressive disclosure.
Tighten the 'What Secure Does NOT Do' section — Claude doesn't need explanations of what SOC 2 or HIPAA are; a brief bullet list of boundaries would suffice.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is mostly efficient and well-structured, but includes some sections that could be tightened — the 'What Secure Does NOT Do' section explains things Claude likely understands, the 'Cross-plugin context' section has some filler, and the 'Failure Modes' section, while useful, is somewhat verbose with its cause/fix pattern repeated five times. | 2 / 3 |
Actionability | The skill provides a clear framework (three moves) with specific categories and severity levels, but lacks concrete executable examples — no sample threat model output, no example diff analysis, no template showing what a completed threat assessment looks like. The guidance is structured but remains at the level of 'what to do' rather than 'here's exactly what it looks like done.' | 2 / 3 |
Workflow Clarity | The three-move workflow (walk attack surface → identify specific threats → propose security tests) is clearly sequenced with explicit criteria at each step. Each threat requires severity, mitigation, cost, and concrete attacker action — serving as validation checkpoints. The transitions section provides clear handoff points, and the failure modes section acts as a verification checklist. | 3 / 3 |
Progressive Disclosure | The skill references several external files (foundation/SKILL.md, foundation/model.md, foundation/guidelines.md, security-lead agent) but no bundle files were provided to verify these exist. The content itself is moderately long and could benefit from splitting — e.g., the failure modes or the STRIDE-specific guidance could be in a separate reference file rather than inline. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Repository
- audenaert/etak
- Commit
632c389
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.