finding-security-misconfigurations
This skill enables Claude to identify potential security misconfigurations in various systems and configurations. It leverages the security-misconfiguration-finder plugin to analyze infrastructure-as-code, application configurations, and system settings, pinpointing common vulnerabilities and compliance issues. Use this skill when the user asks to "find security misconfigurations", "check for security vulnerabilities in my configuration", "audit security settings", or requests a security assessment of a specific system or file. This skill will assist in identifying and remediating potential security weaknesses.
91
44%
Does it follow best practices?
Impact
100%
1.01xAverage score across 9 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./backups/skills-migration-20251108-070147/plugins/security/security-misconfiguration-finder/skills/security-misconfiguration-finder/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a solid description that clearly communicates both what the skill does and when to use it, with good trigger terms. Its main weaknesses are slightly vague capability descriptions (could list more concrete specific actions) and a broad scope that could potentially overlap with other security-related skills. The description also uses phrases like 'This skill enables Claude to' and 'This skill will assist' which, while not first/second person, add unnecessary verbosity.
Suggestions
Replace generic action phrases like 'pinpointing common vulnerabilities and compliance issues' with specific concrete actions such as 'detect open ports, flag overly permissive IAM policies, identify unencrypted storage, check for default credentials'.
Narrow the scope or add more distinctive boundaries to reduce potential overlap with other security-related skills, e.g., specify the exact configuration formats or systems supported.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (security misconfigurations) and some actions (analyze infrastructure-as-code, application configurations, system settings, pinpointing vulnerabilities and compliance issues), but the actions are somewhat generic and not as concrete as listing specific discrete operations like 'check firewall rules, validate TLS settings, audit IAM policies'. | 2 / 3 |
Completeness | Clearly answers both 'what' (identify security misconfigurations in infrastructure-as-code, application configurations, system settings, pinpointing vulnerabilities and compliance issues) and 'when' (explicit 'Use this skill when...' clause with specific trigger phrases). | 3 / 3 |
Trigger Term Quality | Includes good natural trigger terms: 'find security misconfigurations', 'check for security vulnerabilities in my configuration', 'audit security settings', 'security assessment', 'infrastructure-as-code', 'application configurations', 'compliance issues'. These cover terms users would naturally say. | 3 / 3 |
Distinctiveness Conflict Risk | While it focuses on security misconfigurations specifically, the broad scope covering 'various systems and configurations', 'infrastructure-as-code', 'application configurations', and 'system settings' could overlap with more specific security scanning skills or general code review skills. The niche is reasonably clear but not tightly bounded. | 2 / 3 |
Total | 10 / 12 Passed |
Implementation
7%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill content is almost entirely descriptive and abstract, lacking any concrete, actionable guidance. It explains what the skill does in general terms but never shows how to actually use the security-misconfiguration-finder plugin—no invocation syntax, no parameter specifications, no example outputs, and no real configuration snippets demonstrating misconfigurations. The content reads more like a marketing overview than an operational skill file.
Suggestions
Add the actual plugin invocation syntax with specific parameters (e.g., how to call security-misconfiguration-finder with a file path, what flags/options are available).
Replace the abstract examples with concrete input/output pairs showing a real misconfiguration in a Terraform or YAML file and the expected plugin output.
Remove the 'Overview', 'How It Works', and 'Best Practices' sections which contain only generic information Claude already knows, and replace with a concise quick-start section.
Add a section documenting the specific rules or categories of misconfigurations the plugin checks for, so Claude knows what to expect and can explain findings to users.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is highly verbose, explaining concepts Claude already knows (what security misconfigurations are, how plugins work), repeating information from the description, and padding with generic advice like 'carefully review findings' and 'schedule regular audits.' The 'How It Works' section describes obvious plugin interaction steps that add no value. | 1 / 3 |
Actionability | There is no concrete, executable guidance anywhere—no actual commands, no code snippets, no specific plugin invocation syntax, no configuration examples showing what a misconfiguration looks like. The examples describe what the skill 'will do' in abstract terms rather than showing how to actually use it. | 1 / 3 |
Workflow Clarity | The 'How It Works' section lists generic steps ('Activate Plugin', 'Analyze Configuration') without any specifics on how to invoke the plugin, what parameters to pass, or what to do when findings are returned. There are no validation checkpoints or error handling steps for what is essentially a security-critical workflow. | 1 / 3 |
Progressive Disclosure | The content has some structural organization with clear section headers (Overview, How It Works, Examples, Best Practices), but it's a monolithic document with no references to external files. The content that exists is mostly filler rather than being well-organized substantive material. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Commit
9fad7ed
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.