aws-security-audit
Comprehensive AWS security posture assessment using AWS CLI and security best practices
43
18%
Does it follow best practices?
Impact
82%
1.12xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/antigravity-aws-security-audit/SKILL.mdQuality
Discovery
22%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description is too high-level and reads more like a title than a functional description. It lacks concrete actions, specific AWS services or checks it performs, and has no explicit trigger guidance for when Claude should select this skill. The buzzword 'comprehensive' adds no value.
Suggestions
List specific concrete actions the skill performs, e.g., 'Audits IAM policies, checks S3 bucket permissions, reviews security group rules, evaluates CloudTrail logging configuration'.
Add an explicit 'Use when...' clause with natural trigger terms, e.g., 'Use when the user asks about AWS security audits, cloud compliance checks, IAM review, or hardening their AWS environment'.
Remove the vague word 'comprehensive' and replace with specific scope indicators like which AWS services or security frameworks are covered.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description uses vague language like 'comprehensive' and 'security posture assessment' without listing any concrete actions. It doesn't specify what it actually does (e.g., check IAM policies, audit S3 bucket permissions, review security groups). | 1 / 3 |
Completeness | The 'what' is vaguely stated as 'security posture assessment' without specifics, and there is no 'when' clause or explicit trigger guidance at all. The missing 'Use when...' clause caps this at 2 per the rubric, but the weak 'what' brings it to 1. | 1 / 3 |
Trigger Term Quality | It includes some relevant keywords like 'AWS', 'security', and 'AWS CLI' that users might naturally mention, but misses common variations like 'IAM', 'S3 permissions', 'security groups', 'compliance', 'audit', or specific AWS service names. | 2 / 3 |
Distinctiveness Conflict Risk | The mention of 'AWS' and 'AWS CLI' provides some specificity that distinguishes it from generic security skills, but 'security posture assessment' is broad enough to overlap with other AWS or cloud security-related skills. | 2 / 3 |
Total | 6 / 12 Passed |
Implementation
14%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a broad collection of AWS security audit commands but suffers from being a monolithic, unstructured reference dump rather than an actionable workflow. It lacks sequencing, validation steps, prerequisite checks, and error handling guidance. The content is significantly bloated with descriptive lists, incomplete code, and sections that don't add value beyond what Claude already knows about AWS security.
Suggestions
Add a clear sequential workflow: prerequisites (permissions, CLI setup) → run audit → validate results → prioritize findings → remediate, with explicit validation checkpoints at each stage.
Move the detailed command references, Python script, and compliance mapping into separate referenced files, keeping SKILL.md as a concise overview with quick-start commands.
Remove the audit categories bullet lists (Claude knows what AWS security issues look like) and the generic best practices section; focus on the executable commands and decision logic.
Fix the Python security score calculator to be actually executable (handle credential report parsing, remove bare except) or remove it entirely in favor of the more complete bash script.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~300+ lines. It includes extensive lists of audit categories that merely describe what to check (which Claude already knows), a compliance mapping section that's just a list of standards, generic best practices, example prompts, and a Python security score calculator with incomplete logic (bare except, placeholder comments). Much of this could be dramatically condensed. | 1 / 3 |
Actionability | The bash commands are mostly executable and copy-paste ready, which is good. However, the Python security score calculator is incomplete (the credential report parsing is stubbed out with a comment), the automated audit script hardcodes a trail name ('my-trail'), and some commands would fail without proper setup (credential report must be generated first). The compliance mapping and remediation sections are descriptive rather than actionable. | 2 / 3 |
Workflow Clarity | There is no clear sequenced workflow for conducting an audit. The skill presents a flat collection of commands organized by category but lacks a step-by-step process: no guidance on prerequisites (AWS CLI configuration, permissions needed), no sequencing of which checks to run first, no validation checkpoints, and no feedback loops for handling errors or acting on findings. For a security audit involving potentially destructive remediation decisions, this is a significant gap. | 1 / 3 |
Progressive Disclosure | The content is a monolithic wall of text with everything inline. The audit categories list, all bash commands, the full Python script, compliance mappings, remediation priorities, and best practices are all in one file. The compliance mapping, detailed command references, and the Python script should be in separate referenced files. The 'Additional Resources' section links externally but there's no internal content organization. | 1 / 3 |
Total | 5 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- boisenoise/skills-collections
- Commit
431bfad
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.