finding-security-misconfigurations
This skill enables Claude to identify potential security misconfigurations in various systems and configurations. It leverages the security-misconfiguration-finder plugin to analyze infrastructure-as-code, application configurations, and system settings, pinpointing common vulnerabilities and compliance issues. Use this skill when the user asks to "find security misconfigurations", "check for security vulnerabilities in my configuration", "audit security settings", or requests a security assessment of a specific system or file. This skill will assist in identifying and remediating potential security weaknesses.
Install with Tessl CLI
npx tessl i github:jeremylongshore/claude-code-plugins-plus-skills --skill finding-security-misconfigurations92
Quality
51%
Does it follow best practices?
Impact
100%
1.01xAverage score across 9 eval scenarios
Optimize this skill with Tessl
npx tessl skill review --optimize ./backups/skills-migration-20251108-070147/plugins/security/security-misconfiguration-finder/skills/security-misconfiguration-finder/SKILL.mdDiscovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a reasonably well-constructed skill description that excels in completeness with explicit trigger guidance and good trigger term coverage. However, it could be more specific about the concrete actions performed (what types of misconfigurations it detects) and could better distinguish itself from other security-related skills by emphasizing its configuration-focused niche more strongly.
Suggestions
Add specific examples of misconfigurations detected, such as 'detect exposed secrets, overly permissive access controls, insecure default settings, missing encryption configurations'
Strengthen distinctiveness by emphasizing the configuration-specific focus more clearly, e.g., 'Use for configuration files and IaC templates, not for runtime security scanning or code vulnerability analysis'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (security misconfigurations) and some actions ('analyze infrastructure-as-code, application configurations, and system settings, pinpointing common vulnerabilities and compliance issues'), but the actions remain somewhat abstract rather than listing specific concrete operations like 'detect open ports, flag hardcoded credentials, identify overly permissive IAM policies'. | 2 / 3 |
Completeness | Clearly answers both what (identifies security misconfigurations in infrastructure-as-code, application configurations, system settings) AND when (explicit 'Use this skill when...' clause with specific trigger phrases). The description provides explicit guidance on when Claude should select this skill. | 3 / 3 |
Trigger Term Quality | Includes good natural trigger terms users would say: 'find security misconfigurations', 'check for security vulnerabilities in my configuration', 'audit security settings', 'security assessment'. These cover common variations of how users would phrase such requests. | 3 / 3 |
Distinctiveness Conflict Risk | While focused on security misconfigurations specifically, terms like 'security vulnerabilities' and 'security assessment' could overlap with other security-related skills (e.g., code security scanning, penetration testing skills). The focus on 'configurations' helps but isn't fully distinctive. | 2 / 3 |
Total | 10 / 12 Passed |
Implementation
20%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill content is overly abstract and descriptive rather than actionable. It explains what the skill does conceptually but fails to provide concrete plugin invocation syntax, expected output formats, or executable examples. The content would benefit significantly from showing actual commands and real output samples rather than describing the process narratively.
Suggestions
Add concrete plugin invocation syntax showing exactly how to call the security-misconfiguration-finder plugin with specific parameters
Include actual example output showing what a misconfiguration finding looks like (JSON schema, severity levels, remediation fields)
Remove the 'Overview' and 'How It Works' sections which explain concepts Claude already understands, replacing with a quick-start code example
Add validation steps for verifying plugin results and handling edge cases like unsupported file formats or plugin errors
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is verbose and explains concepts Claude already knows (what security misconfigurations are, how plugins work). The 'Overview' section restates the description, and 'How It Works' describes obvious plugin interaction steps that don't add value. | 1 / 3 |
Actionability | No concrete code, commands, or executable guidance provided. Examples describe what 'the skill will do' abstractly rather than showing actual plugin invocation syntax, expected output formats, or specific commands to run. | 1 / 3 |
Workflow Clarity | Steps are listed in 'How It Works' but lack validation checkpoints or error handling. No guidance on what to do if the plugin fails, how to verify findings, or how to handle false positives. | 2 / 3 |
Progressive Disclosure | Content is reasonably organized with clear sections, but everything is inline in one file. No references to external documentation for the plugin's API, rule definitions, or detailed remediation guides that would benefit from separation. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.