finding-security-misconfigurations
This skill enables Claude to identify potential security misconfigurations in various systems and configurations. It leverages the security-misconfiguration-finder plugin to analyze infrastructure-as-code, application configurations, and system settings, pinpointing common vulnerabilities and compliance issues. Use this skill when the user asks to "find security misconfigurations", "check for security vulnerabilities in my configuration", "audit security settings", or requests a security assessment of a specific system or file. This skill will assist in identifying and remediating potential security weaknesses.
91
44%
Does it follow best practices?
Impact
100%
1.01xAverage score across 9 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./backups/skills-migration-20251108-070147/plugins/security/security-misconfiguration-finder/skills/security-misconfiguration-finder/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description is reasonably well-structured with a clear 'Use this skill when...' clause and good trigger terms. Its main weaknesses are the somewhat vague capability descriptions (could list more specific concrete actions) and the use of phrases like 'This skill enables Claude to' and 'This skill will assist in' which add verbosity without adding clarity. The broad scope could also create overlap with other security-focused skills.
Suggestions
Replace vague action phrases like 'pinpointing common vulnerabilities and compliance issues' with specific concrete actions such as 'checks for open ports, misconfigured IAM policies, insecure TLS settings, overly permissive firewall rules'.
Narrow the scope or add more distinctive terms to reduce potential conflict with other security skills—e.g., specify supported file types like Terraform, Kubernetes YAML, Dockerfiles, or nginx configs.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (security misconfigurations) and some actions (analyze infrastructure-as-code, application configurations, pinpointing vulnerabilities and compliance issues), but the actions are somewhat generic and not as concrete as listing specific discrete operations like 'check firewall rules, validate TLS settings, audit IAM policies'. | 2 / 3 |
Completeness | Clearly answers both 'what' (identify security misconfigurations in infrastructure-as-code, application configurations, system settings) and 'when' (explicit 'Use this skill when...' clause with multiple trigger phrases). | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms: 'find security misconfigurations', 'check for security vulnerabilities in my configuration', 'audit security settings', 'security assessment'. These are phrases users would naturally say when needing this skill. | 3 / 3 |
Distinctiveness Conflict Risk | While it focuses on security misconfigurations specifically, the broad scope covering 'various systems and configurations' and terms like 'security vulnerabilities' could overlap with other security-related skills such as vulnerability scanning, penetration testing, or general code review skills. | 2 / 3 |
Total | 10 / 12 Passed |
Implementation
7%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill content is essentially a marketing description rather than actionable instructions. It lacks any concrete guidance—no plugin invocation syntax, no example outputs, no code, no specific configuration patterns to look for. The content repeatedly explains obvious concepts and describes what the skill does in abstract terms without ever showing Claude how to actually do it.
Suggestions
Add the actual plugin invocation syntax with specific arguments (e.g., how to call security-misconfiguration-finder, what parameters it accepts, what format it returns results in).
Replace the abstract examples with concrete ones showing actual input configuration snippets and the expected plugin output/findings format.
Remove the 'Overview', 'How It Works', and 'When to Use This Skill' sections entirely—they describe concepts Claude already knows and duplicate the skill description.
Add a concrete example of a misconfiguration finding with remediation guidance, such as a Terraform resource with a public S3 bucket and the corrected version.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is highly verbose, explaining concepts Claude already knows (what security misconfigurations are, how plugins work), repeating information from the description, and padding with unnecessary context like 'This allows for early detection and remediation of security weaknesses.' The 'How It Works' section describes obvious plugin interaction steps that add no value. | 1 / 3 |
Actionability | There is no concrete, executable guidance anywhere—no actual commands, no code snippets, no specific plugin invocation syntax, no configuration examples showing what a misconfiguration looks like. The examples describe what the skill 'will do' in abstract terms rather than showing actual inputs, commands, or outputs. | 1 / 3 |
Workflow Clarity | The 'How It Works' section lists generic steps ('Activate Plugin', 'Analyze Configuration') with no specifics on how to invoke the plugin, what arguments it takes, or what output format to expect. There are no validation checkpoints, no error handling, and no feedback loops for when the plugin fails or returns unexpected results. | 1 / 3 |
Progressive Disclosure | The content has some structural organization with clear section headers (Overview, How It Works, Examples, Best Practices), but it's a monolithic document with no references to external files. Given there are no bundle files, this is somewhat acceptable, but the inline content is bloated with information that could be trimmed rather than split. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Commit
197ebf7
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.