auditing-access-control
This skill enables Claude to audit access control implementations in various systems. It uses the access-control-auditor plugin to identify potential vulnerabilities and misconfigurations related to access control. Use this skill when the user asks to "audit access control", "check permissions", "assess access rights", or requests a "security review" focused on access management. It's particularly useful for analyzing IAM policies, ACLs, and other access control mechanisms in cloud environments, applications, or infrastructure. The skill helps ensure compliance with security best practices and identify potential privilege escalation paths.
55
44%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./backups/skills-migration-20251108-070147/plugins/security/access-control-auditor/skills/access-control-auditor/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a solid skill description that clearly communicates both what the skill does and when to use it, with good trigger term coverage. Its main weaknesses are that the specific capabilities could be more concrete (e.g., listing specific audit checks or output formats) and some trigger terms like 'security review' are broad enough to potentially conflict with other security-focused skills.
Suggestions
Add more concrete specific actions the skill performs, such as 'generates access control audit reports', 'maps role hierarchies', or 'detects overly permissive policies' to improve specificity.
Narrow the 'security review' trigger term to reduce conflict risk, e.g., specify 'security review of access controls or permissions' rather than just 'security review focused on access management'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (access control auditing) and mentions some actions like 'identify potential vulnerabilities and misconfigurations', 'analyzing IAM policies, ACLs', and 'identify potential privilege escalation paths', but these are somewhat general rather than listing multiple distinct concrete operations the skill performs. | 2 / 3 |
Completeness | The description clearly answers both 'what' (audits access control implementations, identifies vulnerabilities and misconfigurations, analyzes IAM policies/ACLs) and 'when' with an explicit 'Use this skill when...' clause listing specific trigger phrases and contexts. | 3 / 3 |
Trigger Term Quality | The description includes strong natural trigger terms: 'audit access control', 'check permissions', 'assess access rights', 'security review', 'IAM policies', 'ACLs', 'access control mechanisms', 'privilege escalation'. These cover a good range of terms users would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | While the focus on access control auditing is fairly specific, terms like 'security review' and 'check permissions' could overlap with broader security scanning or general security audit skills. The mention of 'compliance with security best practices' also broadens the scope in a way that could conflict with other security-related skills. | 2 / 3 |
Total | 10 / 12 Passed |
Implementation
7%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill content is largely descriptive rather than instructive. It explains what the skill does conceptually but provides no concrete, actionable guidance on how to actually use the access-control-auditor plugin—no commands, no syntax, no input/output formats, no error handling. The content reads more like a marketing description than a technical skill file.
Suggestions
Add concrete plugin invocation syntax with actual commands, flags, and arguments (e.g., how to specify targets, what input format is expected, what the output looks like)
Remove the 'How It Works' and 'When to Use This Skill' sections—Claude doesn't need to be told when to use a skill or how its own reasoning works; this is already covered by frontmatter triggers
Add a concrete example showing actual plugin input and expected output (e.g., a sample IAM policy snippet and the corresponding audit findings format)
Include validation/verification steps: how to confirm the audit ran correctly, how to handle errors, and what to do with ambiguous findings
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is verbose and explains concepts Claude already knows (what IAM policies are, what ACLs are, what privilege escalation is). The 'How It Works' section describes Claude's own reasoning process back to it. The 'When to Use This Skill' section largely duplicates the description. The 'Integration' section is vague filler. | 1 / 3 |
Actionability | There are no concrete commands, executable code, API calls, or specific plugin invocation syntax. The examples describe what the skill 'will do' in abstract terms rather than providing actual commands or configuration. There's no indication of how to actually invoke the access-control-auditor plugin (flags, arguments, input format, output format). | 1 / 3 |
Workflow Clarity | The 'How It Works' section lists abstract steps without any concrete validation checkpoints or error handling. There's no guidance on what to do if the audit fails, how to verify findings, or how to handle edge cases. The examples describe outcomes without showing the actual workflow steps. | 1 / 3 |
Progressive Disclosure | The content is organized into logical sections with headers, which provides some structure. However, there are no references to external files, no bundle files exist, and content that could be separated (like detailed examples or plugin configuration) is presented inline in a somewhat bloated manner. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Commit
13d35b8
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.