checking-infrastructure-compliance

Execute use when you need to work with compliance checking. This skill provides compliance monitoring and validation with comprehensive guidance and automation. Trigger with phrases like "check compliance", "validate policies", or "audit compliance".

Quality

41%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Passed

No known issues

Optimize this skill with Tessl

npx tessl skill review --optimize ./plugins/devops/compliance-checker/skills/checking-infrastructure-compliance/SKILL.md

Quality

Content

50%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This skill provides a reasonable high-level framework for infrastructure compliance checking with good tool coverage and a useful error handling table. However, it lacks executable code examples, concrete input/output demonstrations, and validation feedback loops that would make it truly actionable. The content reads more like a checklist overview than a hands-on guide Claude could follow step-by-step.

Suggestions

Add executable code blocks showing complete checkov/tfsec command invocations with example output parsing, e.g., `checkov -d ./terraform --output json | jq '.results.failed_checks[] | {check: .check_id, resource: .resource}'`

Include a concrete remediation example: show a before/after Terraform snippet for a common violation like unencrypted S3 bucket

Add explicit validation checkpoints in the workflow, e.g., after step 8: 'Run `terraform plan` to verify remediation patches apply cleanly, then re-run compliance scan to confirm violations are resolved'

Create bundle reference files for framework-specific policies (e.g., CIS_AWS.md, PCI_DSS.md) and link to them from the main skill to enable progressive disclosure of detailed control mappings

Dimension	Reasoning	Score
Conciseness	The content is reasonably structured but includes some unnecessary verbosity. The Overview explains what compliance frameworks are, which Claude already knows. The Examples section lists natural language prompts rather than executable examples, adding tokens without much value. The Prerequisites section is useful but could be tighter.	2 / 3
Actionability	Instructions reference specific tools and commands (e.g., `checkov -d .`, `tfsec .`, `aws iam access-analyzer`) but lack executable code blocks showing actual usage, expected output parsing, or concrete Terraform/YAML remediation snippets. The steps are directional rather than copy-paste ready. The Examples section contains natural language descriptions rather than concrete input/output examples.	2 / 3
Workflow Clarity	The 9-step workflow provides a logical sequence from identification through CI/CD integration, but lacks explicit validation checkpoints and feedback loops. There's no 'verify scan completed successfully before proceeding' step, no guidance on what to do if remediation patches break other configurations, and no iterative validate-fix-retry loop after applying remediations.	2 / 3
Progressive Disclosure	The content is organized into clear sections (Overview, Prerequisites, Instructions, Output, Error Handling, Examples, Resources) which is good structure. However, with no bundle files, the detailed guidance for each compliance framework (CIS, SOC 2, HIPAA, PCI-DSS) and each tool (OPA, Checkov, tfsec) is either missing or would need to be inline. The Resources section links to external docs but there are no internal reference files for detailed tool-specific workflows.	2 / 3
	Total	8 / 12 Passed

Description

32%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This description is padded with buzzwords ('comprehensive guidance and automation') but lacks any concrete specificity about what kind of compliance it handles or what actions it performs. While it does include some trigger phrases, the overall vagueness makes it nearly useless for distinguishing this skill from other compliance-related or auditing skills.

Suggestions

Replace vague language like 'comprehensive guidance and automation' with specific concrete actions (e.g., 'Checks code against HIPAA regulations, validates security policies against SOC2 requirements, generates audit reports').

Specify the domain of compliance (regulatory, security, code style, accessibility, etc.) to reduce conflict risk with other skills.

Use third-person declarative voice for capabilities (e.g., 'Validates infrastructure configurations against compliance frameworks') instead of the imperative 'Execute use when...' phrasing.

Dimension	Reasoning	Score
Specificity	The description uses vague language like 'compliance monitoring and validation with comprehensive guidance and automation' without listing any concrete actions. There are no specific capabilities described—just abstract buzzwords.	1 / 3
Completeness	It has a weak 'what' (compliance monitoring and validation) and does include trigger phrases that serve as a 'when' clause, but the 'what' is too vague to be meaningful. The trigger guidance is present but the capability description is essentially empty.	2 / 3
Trigger Term Quality	It includes some relevant trigger phrases like 'check compliance', 'validate policies', and 'audit compliance', which are natural terms a user might say. However, it lacks variations and specifics about what kind of compliance (regulatory, code, security, etc.).	2 / 3
Distinctiveness Conflict Risk	'Compliance checking' is extremely broad and could overlap with security auditing, policy validation, code linting, regulatory compliance, and many other skills. Without specifying the domain or type of compliance, it would easily conflict with similar skills.	1 / 3
	Total	6 / 12 Passed

Validation

81%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 9 / 11 Passed

Validation for skill structure

Criteria	Description	Result
allowed_tools_field	'allowed-tools' contains unusual tool name(s)	Warning
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning

	Total	9 / 11 Passed

Repository: jeremylongshore/claude-code-plugins-plus-skills
Commit: 00c0702

Reviewed: 4 days ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.