CtrlK
BlogDocsLog inGet started
Tessl Logo

performing-security-audits

Analyze code, infrastructure, and configurations by conducting comprehensive security audits. It leverages tools within the security-pro-pack plugin, including vulnerability scanning, compliance checking, and cryptography review. Use when assessing security or running audits. Trigger with phrases like 'security scan', 'audit', or 'vulnerability'.

48

Quality

52%

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

Fix and improve this skill with Tessl

tessl review fix ./plugins/packages/security-pro-pack/skills/performing-security-audits/SKILL.md
SKILL.md
Quality
Evals
Security

Quality

Content

20%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body reads as promotional documentation rather than operational guidance: no executable code or commands, generic instructions, and bundle files that exist on disk are never referenced. Workflow steps are present but lack the validation checkpoints security work demands.

Suggestions

Replace marketing prose with concrete, runnable guidance — show how to invoke scripts/security_scan.py and how to populate the assets/*_template.md report templates.

Add validation/verification checkpoints to the workflow (e.g., confirm findings against the OWASP/CIS checklist, validate remediation by re-running the scan).

Link the bundle files explicitly from the body (e.g., 'See [security_scan.py](scripts/security_scan.py)') and remove the generic placeholder sections (Instructions, Output, Resources) that add no information.

DimensionReasoningScore

Conciseness

The body is padded with marketing prose ('seamlessly integrates', 'holistic and integrated security review process', 'utilizes the specialized tools') that restates the description and explains nothing Claude does not already know, matching the verbose/padded anchor.

1 / 3

Actionability

Guidance is abstract — 'Invoke the Security Auditor Expert agent', 'Apply modifications as needed', 'Review the generated output' — with no executable code, commands, or concrete parameters; the bundled security_scan.py is never referenced or shown how to run.

1 / 3

Workflow Clarity

A three-step sequence exists (Analysis Selection, Execution, Reporting) but there are no validation checkpoints or error-recovery feedback loops for security findings, and the Instructions section is generic ('Invoke this skill when the trigger conditions are met').

2 / 3

Progressive Disclosure

Sections are organized, but the actual bundle files (assets/*_template.md, scripts/security_scan.py) are never linked or signaled from the body, and template/report content that belongs in references is only vaguely hinted at via a placeholder 'Resources' list.

2 / 3

Total

6

/

12

Passed

Description

85%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A strong description: third-person voice, explicit 'Use when' trigger guidance, and several concrete capabilities. The only weakness is limited trigger-term coverage with one generic term ('audit').

Suggestions

Broaden trigger terms to include natural variations users would say, e.g. 'pentest', 'penetration test', 'CVE', 'compliance check', or 'security review'.

Consider narrowing the generic 'audit' trigger or pairing it with a security qualifier to reduce overlap with general code-review skills.

DimensionReasoningScore

Specificity

Lists multiple concrete actions — 'vulnerability scanning, compliance checking, and cryptography review' across 'code, infrastructure, and configurations' — matching the anchor for listing several specific concrete actions.

3 / 3

Completeness

Clearly answers both what (analyze code/infrastructure/configs via scanning, compliance, crypto review) and when via an explicit 'Use when assessing security or running audits' clause with trigger phrases.

3 / 3

Trigger Term Quality

Provides natural terms ('security scan', 'audit', 'vulnerability') but the set is thin and 'audit' is generic; common variations like 'pentest', 'CVE', or 'compliance check' are missing, fitting the 'some relevant keywords but missing common variations' anchor.

2 / 3

Distinctiveness Conflict Risk

The security-audit niche is clear and the triggers ('security scan', 'vulnerability') are security-specific enough to be unlikely to fire for unrelated skills.

3 / 3

Total

11

/

12

Passed

Validation

87%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation14 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

allowed_tools_field

'allowed-tools' contains unusual tool name(s)

Warning

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

14

/

16

Passed

Repository
jeremylongshore/claude-code-plugins-plus-skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.