aws-compliance-checker
Automated compliance checking against CIS, PCI-DSS, HIPAA, and SOC 2 benchmarks
32
27%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/antigravity-aws-compliance-checker/SKILL.mdQuality
Discovery
40%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description identifies a clear domain niche with specific compliance frameworks, making it distinctive. However, it lacks a 'Use when...' clause, provides only a single vague action ('checking'), and misses common user-facing trigger terms like 'security audit' or 'compliance scan'. It needs both more concrete action descriptions and explicit trigger guidance.
Suggestions
Add a 'Use when...' clause with trigger terms like 'compliance audit', 'security benchmark', 'regulatory check', 'CIS scan', 'PCI compliance', 'HIPAA audit'.
List specific concrete actions such as 'Scans infrastructure configurations, generates compliance reports, identifies policy violations, and recommends remediation steps'.
Include common user phrasing variations like 'security posture assessment', 'compliance scan', 'audit readiness', or 'regulatory requirements check'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (compliance checking) and lists specific frameworks (CIS, PCI-DSS, HIPAA, SOC 2), but doesn't describe concrete actions beyond 'checking' — e.g., what does it produce? Reports, remediation steps, configuration audits? | 2 / 3 |
Completeness | Describes what it does (compliance checking against benchmarks) but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. Per rubric guidelines, missing 'Use when' caps completeness at 2, and the 'what' is also thin, warranting a 1. | 1 / 3 |
Trigger Term Quality | Includes good framework-specific keywords (CIS, PCI-DSS, HIPAA, SOC 2) that users would naturally mention, but misses common variations like 'security audit', 'compliance scan', 'benchmark', 'security posture', or 'regulatory compliance'. | 2 / 3 |
Distinctiveness Conflict Risk | The combination of 'compliance checking' with specific benchmark standards (CIS, PCI-DSS, HIPAA, SOC 2) creates a clear niche that is unlikely to conflict with other skills. | 3 / 3 |
Total | 8 / 12 Passed |
Implementation
14%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is a massive dump of compliance-checking scripts with poor organization and no clear workflow. While the individual bash/Python scripts contain real, mostly-executable AWS CLI commands, the skill suffers from extreme verbosity, missing implementations (SOC 2, stub functions), and a monolithic structure that should be split into referenced bundle files. It reads more like a reference manual than an actionable skill guide.
Suggestions
Extract all scripts into separate bundle files (e.g., scripts/cis-iam-checks.sh, scripts/pci-dss-checker.py) and replace inline code with brief descriptions and file references.
Add a clear workflow section at the top: 1) Choose framework, 2) Run checks, 3) Review output, 4) Remediate findings, 5) Re-run to validate fixes — with explicit validation checkpoints.
Remove the 'Supported Frameworks' section listing sub-categories Claude already knows, and eliminate stub/placeholder code (empty functions, comment-only requirements).
Either implement SOC 2 checks or remove it from the supported frameworks list to avoid misleading claims about coverage.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at ~400+ lines. Lists every compliance framework's sub-categories (which Claude already knows), includes massive bash scripts that are largely repetitive, explains what PCI-DSS and HIPAA stand for, and includes boilerplate sections like 'Example Prompts' and 'Best Practices' with generic advice. The compliance-report.py has stub functions (run_cis_checks returning empty list) that add no value. | 1 / 3 |
Actionability | The bash scripts and Python code are mostly executable and contain real AWS CLI commands, which is good. However, the PCI-DSS checker has placeholder comments ('Check for default passwords, etc.'), the compliance-report.py has empty stub functions, and the SOC 2 framework listed in 'Supported Frameworks' has zero implementation. Key details like required IAM permissions are missing. | 2 / 3 |
Workflow Clarity | There is no clear workflow for how to actually use these scripts together. No sequencing of steps, no validation checkpoints, no guidance on what to do when checks fail, no error recovery. The scripts are just dumped as standalone files with no integration guidance. For compliance checking (which can have destructive remediation implications), this lack of workflow structure is a significant gap. | 1 / 3 |
Progressive Disclosure | Monolithic wall of text with hundreds of lines of inline scripts that should be in separate bundle files. No bundle files are provided despite the content clearly warranting them (e.g., cis-iam-checks.sh, cis-logging-checks.sh, pci-dss-checker.py could all be referenced files). The SKILL.md should be a concise overview pointing to these scripts, not embedding them entirely. | 1 / 3 |
Total | 5 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (522 lines); consider splitting into references/ and linking | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Repository
- boisenoise/skills-collections
- Commit
cfced3a
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.