finding-security-misconfigurations
This skill enables Claude to identify potential security misconfigurations in various systems and configurations. It leverages the security-misconfiguration-finder plugin to analyze infrastructure-as-code, application configurations, and system settings, pinpointing common vulnerabilities and compliance issues. Use this skill when the user asks to "find security misconfigurations", "check for security vulnerabilities in my configuration", "audit security settings", or requests a security assessment of a specific system or file. This skill will assist in identifying and remediating potential security weaknesses.
91
44%
Does it follow best practices?
Impact
100%
1.01xAverage score across 9 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./backups/skills-migration-20251108-070147/plugins/security/security-misconfiguration-finder/skills/security-misconfiguration-finder/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description is reasonably well-structured with a clear 'Use this skill when' clause and good trigger terms. However, the specificity of capabilities could be improved by listing more concrete actions (e.g., specific types of misconfigurations detected). The description also uses phrases like 'enables Claude' and 'This skill will assist' which, while not first/second person, are slightly fluffy rather than direct action-oriented language.
Suggestions
Increase specificity by listing concrete misconfiguration types detected, e.g., 'open ports, overly permissive IAM policies, unencrypted storage, default credentials'.
Improve distinctiveness by clarifying what differentiates this from general vulnerability scanning or code security analysis — e.g., specify it focuses on configuration files rather than source code vulnerabilities.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (security misconfigurations) and some actions (analyze infrastructure-as-code, application configurations, system settings, pinpointing vulnerabilities and compliance issues), but the actions are somewhat generic and not highly concrete — it doesn't list specific types of misconfigurations or specific remediation actions. | 2 / 3 |
Completeness | Clearly answers both 'what' (identify security misconfigurations in infrastructure-as-code, application configurations, system settings) and 'when' (explicit 'Use this skill when...' clause with multiple trigger phrases). | 3 / 3 |
Trigger Term Quality | Includes good natural trigger terms: 'find security misconfigurations', 'check for security vulnerabilities in my configuration', 'audit security settings', 'security assessment'. These are phrases users would naturally say when needing this skill. | 3 / 3 |
Distinctiveness Conflict Risk | The focus on security misconfigurations is fairly specific, but terms like 'security vulnerabilities' and 'security assessment' could overlap with other security-related skills (e.g., penetration testing, code vulnerability scanning, compliance auditing). It's somewhat distinguishable but not perfectly distinct. | 2 / 3 |
Total | 10 / 12 Passed |
Implementation
7%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill content is essentially a marketing description rather than actionable instructions. It lacks any concrete guidance on how to invoke the security-misconfiguration-finder plugin, what parameters it accepts, what output format to expect, or how to interpret results. The entire document describes what the skill does in abstract terms without ever showing Claude how to actually do it.
Suggestions
Add concrete plugin invocation syntax showing exactly how to call the security-misconfiguration-finder plugin with specific parameters and options.
Include at least one complete example with actual input configuration, the exact plugin command/call, and realistic sample output showing identified misconfigurations.
Remove the 'Overview', 'When to Use This Skill', and 'Best Practices' sections entirely — they contain no information Claude doesn't already know and waste token budget.
Add error handling and validation steps: what to do when the plugin fails, how to verify results, and how to handle edge cases like unsupported file formats.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is verbose and padded with unnecessary explanations. Sections like 'Overview' and 'How It Works' restate obvious concepts Claude already knows. 'When to Use This Skill' repeats the description. The 'Best Practices' section contains generic advice like 'review findings' and 'schedule regular audits' that add no actionable value. | 1 / 3 |
Actionability | There is no concrete, executable guidance anywhere. No actual commands, code snippets, API calls, or plugin invocation syntax are provided. The examples describe what the skill 'will do' in abstract terms rather than showing how to actually invoke the plugin or what the output looks like. The entire skill reads as a description rather than an instruction set. | 1 / 3 |
Workflow Clarity | The 'How It Works' section lists steps at a superficial level ('Activate Plugin', 'Analyze Configuration') without any concrete details on how to perform each step, what validation to do, or how to handle errors. There are no validation checkpoints, no feedback loops, and no error recovery guidance. | 1 / 3 |
Progressive Disclosure | The content has some structural organization with clear section headers (Overview, How It Works, Examples, Best Practices), but there are no references to external files and no bundle files exist. The content is somewhat monolithic with sections that could be consolidated, though the headers do provide basic navigation. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Commit
13d35b8
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.