generating-security-audit-reports
This skill enables Claude to generate comprehensive security audit reports. It is designed to provide insights into an application or system's security posture, compliance status, and recommended remediation steps. Use this skill when the user requests a "security audit report", wants to "audit security", or needs a "vulnerability assessment report". The skill analyzes security data and produces a detailed report in various formats. It is best used to identify vulnerabilities, track compliance, and create remediation roadmaps. The skill can be activated via the command `/audit-report` or its shortcut `/auditreport`.
91
48%
Does it follow best practices?
Impact
100%
1.03xAverage score across 9 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./backups/skills-migration-20251108-070147/plugins/security/security-audit-reporter/skills/security-audit-reporter/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a solid skill description that clearly communicates when and why to use it, with explicit trigger terms and a 'Use this skill when' clause. Its main weakness is that the capability descriptions are somewhat general—terms like 'analyzes security data' and 'detailed report in various formats' could be more concrete with specific examples of formats, vulnerability types, or compliance frameworks. The description also uses passive/third-person framing appropriately.
Suggestions
Add more specific concrete actions, e.g., 'scans for OWASP Top 10 vulnerabilities, checks against SOC 2/ISO 27001 compliance frameworks, outputs reports in PDF/HTML/Markdown formats' to improve specificity.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (security audit reports) and mentions some actions like 'identify vulnerabilities, track compliance, and create remediation roadmaps,' but these are somewhat general rather than listing multiple concrete, specific actions (e.g., it doesn't specify what formats, what types of vulnerabilities, or what compliance frameworks). | 2 / 3 |
Completeness | Clearly answers both 'what' (generate comprehensive security audit reports, identify vulnerabilities, track compliance, create remediation roadmaps) and 'when' (explicit 'Use this skill when...' clause with specific trigger phrases and commands). | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms: 'security audit report', 'audit security', 'vulnerability assessment report', '/audit-report', '/auditreport', 'security posture', 'compliance status', 'remediation'. These cover multiple natural phrasings a user might use. | 3 / 3 |
Distinctiveness Conflict Risk | The description carves out a clear niche around security audit reports with distinct triggers like 'security audit report', 'vulnerability assessment report', and specific commands '/audit-report'. This is unlikely to conflict with general coding or document skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
7%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill content reads like a product description or marketing overview rather than actionable instructions for Claude. It lacks any concrete templates, report structures, output formats, or executable steps. The content explains what the skill does conceptually but never tells Claude how to actually generate a security audit report.
Suggestions
Add a concrete report template with specific sections (Executive Summary, Vulnerability Findings table, Compliance Matrix, Remediation Roadmap) showing exact markdown structure and expected output format.
Replace the abstract 'How It Works' section with a concrete step-by-step workflow: e.g., 1. Ask user for system details, 2. Structure findings using severity ratings (Critical/High/Medium/Low), 3. Map to compliance frameworks, 4. Generate prioritized remediation plan.
Include at least one complete example showing actual input data and the corresponding generated report output, so Claude knows exactly what format and level of detail to produce.
Remove the 'When to Use This Skill', 'Best Practices', and 'Integration' sections—these describe meta-information Claude doesn't need and waste tokens that should be used for actionable content.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is verbose and explains concepts Claude already knows (what a security audit is, what data collection means, what compliance standards are). The 'How It Works' section describes abstract processes rather than providing actionable instructions. The 'When to Use This Skill' section repeats information from the description. Nearly every section could be eliminated or drastically shortened. | 1 / 3 |
Actionability | There is no concrete code, no specific commands, no templates, no output format specifications, and no executable guidance. The examples describe what the skill 'will do' in vague terms ('analyze the web application's security data') without showing actual report structure, markdown templates, or specific steps Claude should follow to produce the report. | 1 / 3 |
Workflow Clarity | The 'How It Works' section lists three abstract phases (Data Collection, Analysis, Report Generation) with no concrete steps, no validation checkpoints, and no error handling. There is no actual workflow Claude can follow—just high-level descriptions of what should happen. | 1 / 3 |
Progressive Disclosure | The content is organized into sections with headers, which provides some structure. However, there are no references to external files for detailed templates, schemas, or advanced configurations. The content is a monolithic set of vague descriptions that could benefit from splitting detailed report templates and compliance checklists into separate files. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Commit
c8a915c
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.