secure

Threat modeling and risk audit for code changes and system designs. Walk the new attack surface, identify specific threats grounded in the change, propose security tests. Adversarial about assumptions, specific about risks.

Quality

60%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Passed

No known issues

Optimize this skill with Tessl

npx tessl skill review --optimize ./deliver/skills/secure/SKILL.md

Quality

Content

62%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a well-structured threat modeling skill with a clear three-step workflow and strong emphasis on specificity over generic security checklists. Its main weakness is the lack of concrete examples — a sample threat model output or annotated diff analysis would significantly improve actionability. The content is reasonably concise but has room for tightening, particularly in the failure modes and exclusions sections.

Suggestions

Add a concrete example: show a small diff snippet and the resulting threat model output (specific threat, severity, mitigation, proposed test) to make the skill fully actionable.

Consider moving the 'Failure Modes' section to a separate reference file to reduce inline length and improve progressive disclosure.

Tighten the 'What Secure Does NOT Do' section — Claude doesn't need explanations of what SOC 2 or HIPAA are; a brief bullet list of boundaries would suffice.

Dimension	Reasoning	Score
Conciseness	The content is mostly efficient and well-structured, but includes some sections that could be tightened — the 'What Secure Does NOT Do' section explains things Claude likely understands, the 'Cross-plugin context' section has some filler, and the 'Failure Modes' section, while useful, is somewhat verbose with its cause/fix pattern repeated five times.	2 / 3
Actionability	The skill provides a clear framework (three moves) with specific categories and severity levels, but lacks concrete executable examples — no sample threat model output, no example diff analysis, no template showing what a completed threat assessment looks like. The guidance is structured but remains at the level of 'what to do' rather than 'here's exactly what it looks like done.'	2 / 3
Workflow Clarity	The three-move workflow (walk attack surface → identify specific threats → propose security tests) is clearly sequenced with explicit criteria at each step. Each threat requires severity, mitigation, cost, and concrete attacker action — serving as validation checkpoints. The transitions section provides clear handoff points, and the failure modes section acts as a verification checklist.	3 / 3
Progressive Disclosure	The skill references several external files (foundation/SKILL.md, foundation/model.md, foundation/guidelines.md, security-lead agent) but no bundle files were provided to verify these exist. The content itself is moderately long and could benefit from splitting — e.g., the failure modes or the STRIDE-specific guidance could be in a separate reference file rather than inline.	2 / 3
	Total	9 / 12 Passed

Description

57%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description establishes a clear security-focused niche with reasonable specificity about its adversarial threat-modeling purpose. However, it lacks an explicit 'Use when...' clause, which weakens its ability to serve as a reliable trigger for skill selection. Adding explicit trigger conditions and more natural user-facing keywords would significantly improve its effectiveness.

Suggestions

Add an explicit 'Use when...' clause, e.g., 'Use when the user asks for a security review, threat model, risk assessment, or vulnerability analysis of code changes or architecture designs.'

Include more natural trigger terms users would say, such as 'security review', 'vulnerability', 'STRIDE', 'OWASP', 'pen test', 'security concerns', or 'is this secure'.

Dimension	Reasoning	Score
Specificity	Names the domain (threat modeling, risk audit) and some actions (walk attack surface, identify threats, propose security tests), but the actions are somewhat general and not as concrete as listing specific deliverables like 'generate STRIDE analysis, create threat matrix, write fuzzing test cases'.	2 / 3
Completeness	The 'what' is reasonably covered (threat modeling, identifying threats, proposing security tests), but there is no explicit 'Use when...' clause or equivalent trigger guidance. The 'when' is only implied through the mention of 'code changes and system designs'. Per rubric guidelines, missing explicit trigger guidance caps this at 2.	2 / 3
Trigger Term Quality	Includes relevant terms like 'threat modeling', 'risk audit', 'attack surface', 'security tests', but misses common user-facing variations like 'security review', 'vulnerability assessment', 'pen test', 'CVE', 'OWASP', or 'security audit'. A user might say 'review this for security issues' and the description doesn't clearly cover that phrasing.	2 / 3
Distinctiveness Conflict Risk	The description carves out a clear niche around security threat modeling and adversarial risk analysis for code changes, which is distinct enough from general code review, testing, or other security skills. The combination of 'threat modeling', 'attack surface', and 'adversarial about assumptions' creates a well-defined identity.	3 / 3
	Total	9 / 12 Passed

Validation

81%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 9 / 11 Passed

Validation for skill structure

Criteria	Description	Result
allowed_tools_field	'allowed-tools' contains unusual tool name(s)	Warning
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning

	Total	9 / 11 Passed

Repository: audenaert/etak
Commit: 632c389

Reviewed: 27 days ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.