Content
14%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a broad catalog of AWS security audit commands but suffers from being a monolithic, verbose reference document rather than a focused, actionable skill. It lacks a clear workflow sequence, validation checkpoints, and proper content organization. The bash commands are largely executable but the Python code is incomplete, and significant portions (compliance mapping, best practices, example prompts) add bulk without proportional value.
Suggestions
Add a clear sequential workflow at the top: verify credentials/permissions → run checks by category → collect findings → generate report, with explicit validation steps between phases.
Split the content into separate files: move compliance mapping, remediation priorities, and the Python score calculator into referenced bundle files, keeping SKILL.md as a concise overview with navigation links.
Remove or drastically trim sections Claude already knows (audit category descriptions, generic best practices, example prompts, additional resources links) to reduce token usage by ~40%.
Fix the Python security score calculator to be fully executable (complete the credential report parsing, remove bare except clauses) or remove it in favor of the bash script approach.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~300+ lines. It includes extensive lists of audit categories that merely describe what to check (which Claude already knows), compliance mapping tables that are reference material better suited to separate files, generic best practices, example prompts, and a Python security score calculator with incomplete/pseudocode logic. Much of this could be cut or externalized. | 1 / 3 |
Actionability | The bash commands are mostly executable and copy-paste ready, which is good. However, the Python security score calculator has incomplete logic (the credential report parsing is stubbed with a comment and bare except), the 'overly permissive policies' check only looks for a policy literally named 'AdministratorAccess' which is misleading, and the automated audit script hardcodes a trail name 'my-trail'. These gaps reduce overall actionability. | 2 / 3 |
Workflow Clarity | There is no clear sequenced workflow for conducting an audit. The content is organized as a reference catalog of individual commands grouped by category, but there's no guidance on order of operations, no validation checkpoints (e.g., verify AWS credentials/permissions first), no feedback loops for handling errors or failed checks, and no clear process for what to do with findings beyond a static priority list. | 1 / 3 |
Progressive Disclosure | The entire skill is a monolithic wall of content with no bundle files to reference. The compliance mapping, remediation priorities, individual command categories, and the Python script could all be split into separate files. Everything is inlined in one massive document with no navigation structure beyond flat headings. | 1 / 3 |
Total | 5 / 12 Passed |