finding-security-misconfigurations
tessl i github:jeremylongshore/claude-code-plugins-plus-skills --skill finding-security-misconfigurationsThis skill enables Claude to identify potential security misconfigurations in various systems and configurations. It leverages the security-misconfiguration-finder plugin to analyze infrastructure-as-code, application configurations, and system settings, pinpointing common vulnerabilities and compliance issues. Use this skill when the user asks to "find security misconfigurations", "check for security vulnerabilities in my configuration", "audit security settings", or requests a security assessment of a specific system or file. This skill will assist in identifying and remediating potential security weaknesses.
Validation
81%| Criteria | Description | Result |
|---|---|---|
metadata_version | 'metadata' field is not a dictionary | Warning |
license_field | 'license' field is missing | Warning |
body_output_format | No obvious output/return/format terms detected; consider specifying expected outputs | Warning |
Total | 13 / 16 Passed | |
Implementation
20%This skill content is overly verbose and lacks actionable guidance. It describes what the skill does conceptually but fails to provide concrete plugin invocation syntax, expected output formats, or executable examples. The workflow steps are generic and miss validation checkpoints for security-critical operations.
Suggestions
Add concrete plugin invocation syntax showing exactly how to call the security-misconfiguration-finder plugin with specific parameters
Include an example of actual plugin output (e.g., JSON schema or formatted findings) so Claude knows what to expect and present
Remove the 'Overview' and 'How It Works' sections that explain obvious concepts, replacing with a quick-start code example
Add validation steps for reviewing findings and handling false positives or plugin errors
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is verbose and explains concepts Claude already knows (what security misconfigurations are, how plugins work). The 'Overview' section largely repeats the description, and 'How It Works' describes obvious plugin interaction steps that don't add value. | 1 / 3 |
Actionability | No concrete code, commands, or executable guidance provided. The examples describe what the skill 'will do' abstractly rather than showing actual plugin invocation syntax, expected output formats, or specific commands to run. | 1 / 3 |
Workflow Clarity | Steps are listed in 'How It Works' but lack validation checkpoints or error handling. No guidance on what to do if the plugin fails, how to verify findings, or how to handle false positives. | 2 / 3 |
Progressive Disclosure | Content is reasonably organized with clear sections, but everything is inline in one file. The 'Integration' section hints at advanced use cases that could be separate references, and there's no linking to detailed documentation for the plugin's rules or configuration options. | 2 / 3 |
Total | 6 / 12 Passed |
Activation
82%This is a reasonably well-crafted description with strong completeness and trigger term coverage. The explicit 'Use this skill when...' clause with quoted trigger phrases is excellent. However, the description could be more specific about concrete actions performed and could better differentiate itself from other potential security-related skills.
Suggestions
Add more specific concrete actions like 'detect exposed secrets, flag overly permissive permissions, identify insecure default settings, check SSL/TLS configurations'
Clarify distinction from other security skills by emphasizing the configuration/settings focus vs. code vulnerabilities or runtime security issues
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (security misconfigurations) and some actions ('analyze infrastructure-as-code, application configurations, and system settings, pinpointing common vulnerabilities and compliance issues'), but actions remain somewhat abstract rather than listing specific concrete operations like 'detect open ports, flag hardcoded credentials, identify overly permissive IAM policies'. | 2 / 3 |
Completeness | Clearly answers both what (identify security misconfigurations in systems, analyze infrastructure-as-code, configurations, pinpoint vulnerabilities and compliance issues) AND when (explicit 'Use this skill when...' clause with specific trigger phrases). | 3 / 3 |
Trigger Term Quality | Includes good natural trigger terms users would say: 'find security misconfigurations', 'check for security vulnerabilities in my configuration', 'audit security settings', 'security assessment'. These cover common variations of how users would phrase such requests. | 3 / 3 |
Distinctiveness Conflict Risk | While focused on security misconfigurations specifically, terms like 'security vulnerabilities' and 'security assessment' could overlap with other security-related skills (e.g., penetration testing, code security scanning, vulnerability scanning). The focus on 'misconfigurations' provides some distinction but could still conflict. | 2 / 3 |
Total | 10 / 12 Passed |
Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.