performing-security-audits
Analyze code, infrastructure, and configurations by conducting comprehensive security audits. It leverages tools within the security-pro-pack plugin, including vulnerability scanning, compliance checking, and cryptography review. Use when assessing security or running audits. Trigger with phrases like 'security scan', 'audit', or 'vulnerability'.
46
50%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/packages/security-pro-pack/skills/performing-security-audits/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly articulates specific capabilities (vulnerability scanning, compliance checking, cryptography review), provides explicit trigger guidance with natural user phrases, and occupies a distinct security-auditing niche. It uses proper third-person voice throughout and is concise without being vague. Minor improvement could include additional file type or format triggers, but overall it meets the criteria well.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Analyze code, infrastructure, and configurations', 'vulnerability scanning', 'compliance checking', and 'cryptography review'. These are concrete, distinct capabilities. | 3 / 3 |
Completeness | Clearly answers both 'what' (analyze code/infrastructure/configurations via vulnerability scanning, compliance checking, cryptography review) and 'when' (explicit 'Use when assessing security or running audits' plus trigger phrases). | 3 / 3 |
Trigger Term Quality | Includes natural trigger terms users would say: 'security scan', 'audit', 'vulnerability', plus domain terms like 'compliance checking', 'cryptography review', and 'security audits'. Good coverage of natural phrases. | 3 / 3 |
Distinctiveness Conflict Risk | Clearly occupies a distinct niche around security auditing with specific triggers like 'security scan', 'audit', 'vulnerability', and mentions a specific plugin ('security-pro-pack'). Unlikely to conflict with non-security skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is almost entirely abstract description with no actionable content. It lacks concrete tool invocation syntax, real code examples, specific parameters, or executable commands. The majority of sections contain generic filler text that could apply to any skill, wasting token budget without providing Claude any useful guidance for performing security audits.
Suggestions
Replace abstract examples with concrete tool invocation syntax showing exact commands/parameters, e.g., how to call `Security Auditor Expert` with specific arguments and what the output looks like.
Remove filler sections (Integration, Prerequisites, Instructions, Output, Error Handling, Resources) that contain only generic placeholder text, or replace them with specific, actionable content.
Add a concrete workflow with validation checkpoints, e.g., 'Run vulnerability scan → review findings above severity threshold → verify fixes → re-scan to confirm remediation'.
Include at least one complete input/output example showing the actual tool call and a sample structured report format.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose with significant padding. The 'Overview' section restates the description. Sections like 'Integration', 'Prerequisites', 'Instructions', 'Output', 'Error Handling', and 'Resources' are vague filler that add no actionable information. Explains concepts Claude already knows (e.g., what security auditing is, what OWASP Top 10 is). | 1 / 3 |
Actionability | No concrete code, commands, or executable guidance anywhere. Examples describe what the skill 'will do' in abstract terms rather than showing actual tool invocations, parameters, or expected outputs. Instructions like 'Invoke this skill when the trigger conditions are met' and 'Provide necessary context and parameters' are completely vague. | 1 / 3 |
Workflow Clarity | The 'How It Works' section describes a generic 3-step process (select, execute, report) with no specifics about tool invocation syntax, parameters, or validation checkpoints. The 'Instructions' section is four generic bullet points with no real workflow. No validation or error recovery steps for security-critical operations. | 1 / 3 |
Progressive Disclosure | Monolithic wall of text with no references to external files or bundle resources. No bundle files are provided, yet the content is long and repetitive rather than being well-organized and concise. Multiple sections contain placeholder-quality content ('The skill produces structured output relevant to the task') that adds no value. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
6e9558f
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.