iam-policy-reviewer
Iam Policy Reviewer - Auto-activating skill for Security Advanced. Triggers on: iam policy reviewer, iam policy reviewer Part of the Security Advanced skill category.
Install with Tessl CLI
npx tessl i github:jeremylongshore/claude-code-plugins-plus-skills --skill iam-policy-reviewerOverall
score
19%
Does it follow best practices?
Validation for skill structure
Activation
7%This description is severely underdeveloped, functioning more as a placeholder than a useful skill description. It provides no information about what the skill actually does, relies on redundant trigger terms, and gives Claude no meaningful guidance for when to select this skill over others in a multi-skill environment.
Suggestions
Add specific capabilities the skill performs, such as 'Analyzes IAM policies for security vulnerabilities, checks for overly permissive access, validates least-privilege principles, and identifies policy conflicts.'
Include a 'Use when...' clause with natural trigger terms like 'review IAM policy', 'check AWS permissions', 'audit access controls', 'security review', 'policy analysis'.
Remove the redundant trigger term repetition and replace with varied, user-natural phrases that would appear in actual requests.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description contains no concrete actions - it only states it's an 'Auto-activating skill for Security Advanced' without describing what it actually does (e.g., analyze policies, check permissions, detect vulnerabilities). | 1 / 3 |
Completeness | The description fails to answer both 'what does this do' and 'when should Claude use it' - there's no explanation of capabilities and no explicit usage guidance beyond the redundant trigger terms. | 1 / 3 |
Trigger Term Quality | The triggers listed are just the skill name repeated ('iam policy reviewer, iam policy reviewer') rather than natural user terms like 'review IAM policy', 'check AWS permissions', 'security audit', or 'access control'. | 1 / 3 |
Distinctiveness Conflict Risk | While 'IAM Policy' provides some domain specificity that distinguishes it from generic security skills, the lack of concrete actions means it could still conflict with other security-related skills that also deal with policies or access control. | 2 / 3 |
Total | 5 / 12 Passed |
Implementation
0%This skill content is essentially a placeholder template with no actual IAM policy review guidance. It describes what the skill should do in abstract terms but provides zero actionable content - no policy parsing code, no security checks, no examples of dangerous patterns to flag, and no compliance criteria. The content fails on every dimension of the rubric.
Suggestions
Add concrete code examples for parsing and analyzing IAM policy JSON (e.g., checking for 'Action': '*' or 'Resource': '*' patterns)
Include a checklist of specific security anti-patterns to detect: overly permissive actions, missing conditions, dangerous service combinations
Provide example IAM policies (good and bad) with annotations explaining security implications
Add a clear workflow: 1) Parse policy 2) Run security checks 3) Generate findings report with severity levels
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is padded with generic boilerplate that explains nothing Claude doesn't already know. Phrases like 'provides automated assistance' and 'follows industry best practices' are meaningless filler with no actual IAM policy review guidance. | 1 / 3 |
Actionability | There is zero concrete guidance on how to actually review IAM policies. No code, no commands, no specific checks to perform, no policy examples, no security criteria - just vague descriptions of what the skill supposedly does. | 1 / 3 |
Workflow Clarity | No workflow is provided whatsoever. For IAM policy review, there should be clear steps like: parse policy JSON, check for overly permissive actions, validate resource constraints, flag dangerous patterns. None of this exists. | 1 / 3 |
Progressive Disclosure | The content is a monolithic block of unhelpful text with no structure pointing to detailed materials. No references to policy schemas, common vulnerability patterns, or compliance frameworks despite mentioning SOC2/GDPR in tags. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
69%Validation — 11 / 16 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
description_trigger_hint | Description may be missing an explicit 'when to use' trigger hint (e.g., 'Use when...') | Warning |
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
metadata_version | 'metadata' field is not a dictionary | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
body_steps | No step-by-step structure detected (no ordered list); consider adding a simple workflow | Warning |
Total | 11 / 16 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.