checking-infrastructure-compliance
Execute use when you need to work with compliance checking. This skill provides compliance monitoring and validation with comprehensive guidance and automation. Trigger with phrases like "check compliance", "validate policies", or "audit compliance".
48
37%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/devops/compliance-checker/skills/checking-infrastructure-compliance/SKILL.mdQuality
Discovery
40%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is padded with vague buzzwords ('comprehensive guidance and automation') and lacks any concrete actions or specific capabilities. While it does include some trigger phrases, the overall description fails to communicate what the skill actually does in practical terms. The compliance domain provides some distinctiveness, but without specifics it remains too generic to be reliably selected from a large skill set.
Suggestions
Replace vague language like 'comprehensive guidance and automation' with specific concrete actions (e.g., 'Checks code against regulatory standards, validates policy configurations, generates compliance audit reports').
Specify the type or domain of compliance (e.g., security compliance, regulatory compliance, code style compliance) to reduce conflict risk with other skills.
Add a clear 'Use when...' clause with broader trigger term coverage, such as 'Use when the user asks about regulatory checks, policy validation, audit reports, HIPAA, SOC2, or compliance violations'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description uses vague language like 'compliance monitoring and validation with comprehensive guidance and automation' without listing any concrete actions. There are no specific capabilities described—just abstract buzzwords like 'comprehensive guidance' and 'automation'. | 1 / 3 |
Completeness | It has a weak 'what' (compliance monitoring and validation) and does include trigger phrases for 'when', but the 'what' is too vague to be meaningful. The trigger guidance exists but the capability description is essentially empty fluff, so it only partially answers both questions. | 2 / 3 |
Trigger Term Quality | It includes some relevant trigger phrases like 'check compliance', 'validate policies', and 'audit compliance', which are natural terms a user might say. However, it lacks variations such as 'regulatory compliance', 'policy check', 'compliance report', or specific compliance domains. | 2 / 3 |
Distinctiveness Conflict Risk | The compliance domain is somewhat specific, but 'compliance' is broad and could overlap with security auditing, policy management, or regulatory skills. Without specifying what kind of compliance (e.g., code compliance, regulatory, HIPAA, SOC2), it risks conflicting with related skills. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
35%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a broad overview of infrastructure compliance checking but lacks the concrete, executable guidance needed to be truly actionable. The instructions read more like a checklist of compliance activities than step-by-step executable procedures with specific commands, expected outputs, and validation checkpoints. The error handling table is a strength, but the absence of real code examples (e.g., actual Rego policies, complete checkov command pipelines with output parsing) significantly limits its utility.
Suggestions
Replace vague instruction steps with concrete, executable command sequences showing full arguments, expected output snippets, and how to parse/process results (e.g., `checkov -d ./terraform --output json | jq '.results.failed_checks[] | select(.severity=="CRITICAL")'`)
Add at least one complete, executable example workflow (e.g., scanning a Terraform directory, parsing results, generating a markdown report) with actual code rather than natural language descriptions of what to do
Add explicit validation checkpoints and feedback loops, especially before applying remediation patches (e.g., 'Run terraform plan on the remediation diff to verify no unintended changes before applying')
Include a concrete OPA/Rego policy example for one of the mentioned rules (e.g., S3 encryption enforcement) rather than just describing what policies should enforce
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is reasonably structured but includes some unnecessary verbosity. The Overview section explains what compliance frameworks are, which Claude already knows. The Examples section lists natural language prompts rather than executable examples, adding tokens without much value. The Resources section with URLs is of limited utility to Claude. | 2 / 3 |
Actionability | The instructions are high-level descriptions rather than executable guidance. Steps like 'Identify the applicable compliance framework(s) based on industry and data classification' and 'Check encryption at rest and in transit' are vague directives with no concrete code, commands with arguments, or copy-paste-ready examples. The only executable commands mentioned are bare tool invocations like `checkov -d .` without showing expected output or how to process results. | 1 / 3 |
Workflow Clarity | Steps are listed in a logical sequence from scanning through reporting to CI/CD integration, but there are no validation checkpoints or feedback loops. For a workflow involving infrastructure compliance (potentially destructive remediation patches), there's no 'validate before applying' step, no error recovery loop, and no explicit checkpoint between scanning and generating remediation code. | 2 / 3 |
Progressive Disclosure | The content is organized into clear sections (Overview, Prerequisites, Instructions, Output, Error Handling, Examples, Resources), which provides decent structure. However, with no bundle files, the skill is a monolithic document that could benefit from splitting detailed content (e.g., framework-specific scanning guides, OPA policy examples) into separate referenced files. The error handling table is a nice touch but the overall content is all inline. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
3a2d27d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.