performing-security-audits
Analyze code, infrastructure, and configurations by conducting comprehensive security audits. It leverages tools within the security-pro-pack plugin, including vulnerability scanning, compliance checking, and cryptography review. Use when assessing security or running audits. Trigger with phrases like 'security scan', 'audit', or 'vulnerability'.
46
50%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/packages/security-pro-pack/skills/performing-security-audits/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly articulates specific capabilities (vulnerability scanning, compliance checking, cryptography review), provides explicit trigger guidance with natural user phrases, and occupies a distinct security-auditing niche. It uses proper third-person voice throughout and balances conciseness with completeness.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Analyze code, infrastructure, and configurations', 'vulnerability scanning', 'compliance checking', and 'cryptography review'. These are concrete, distinct capabilities. | 3 / 3 |
Completeness | Clearly answers both 'what' (analyze code/infrastructure/configurations via vulnerability scanning, compliance checking, cryptography review) and 'when' (explicit 'Use when assessing security or running audits' plus trigger phrases). Both are explicitly stated. | 3 / 3 |
Trigger Term Quality | Includes natural trigger terms users would say: 'security scan', 'audit', 'vulnerability', plus contextual terms like 'compliance checking', 'cryptography review', and 'security audits'. Good coverage of natural language variations. | 3 / 3 |
Distinctiveness Conflict Risk | Clearly occupies a distinct niche around security auditing with specific triggers like 'security scan', 'audit', 'vulnerability', and mentions a specific plugin ('security-pro-pack'). Unlikely to conflict with non-security skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is almost entirely abstract description with no actionable content. It explains what security auditing is and describes Claude's behavior back to itself rather than providing concrete tool invocations, parameters, code examples, or validation steps. Multiple sections (Integration, Prerequisites, Instructions, Output, Error Handling, Resources) are generic filler that could apply to any skill and waste token budget.
Suggestions
Replace abstract examples with concrete tool invocations showing exact parameters, input formats, and expected output structures (e.g., actual MCP tool call syntax for 'Security Auditor Expert' with sample code input and JSON output).
Remove redundant and generic filler sections (Overview that restates the intro, Integration, Prerequisites, Instructions, Output, Error Handling, Resources) — these add no information Claude can act on.
Add a concrete workflow with validation checkpoints, e.g., 'Run vulnerability scan → review findings → run compliance check → cross-reference results → generate consolidated report' with actual tool names and parameters at each step.
Include at least one complete end-to-end example showing the exact tool calls, their parameters, sample output, and how to interpret/present results to the user.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose with significant padding. The 'Overview' section restates the opening paragraph. Sections like 'Integration', 'Prerequisites', 'Instructions', 'Output', 'Error Handling', and 'Resources' are vague filler that add no actionable information. Explains concepts Claude already knows (what a security audit is, what OWASP Top 10 is). The 'How It Works' section describes Claude's own behavior back to it. | 1 / 3 |
Actionability | No concrete code, commands, or executable guidance anywhere. Examples describe what 'the skill will' do in abstract terms rather than showing actual tool invocations, parameters, or expected outputs. Instructions like 'Invoke this skill when the trigger conditions are met' and 'Provide necessary context and parameters' are completely vague. | 1 / 3 |
Workflow Clarity | The numbered steps in 'How It Works' and examples are abstract descriptions of behavior, not actionable workflows. There are no validation checkpoints, no error recovery loops, and no concrete sequencing of tool calls. The 'Instructions' section is a generic 4-step placeholder with no specificity. | 1 / 3 |
Progressive Disclosure | Monolithic wall of text with no references to external files and no bundle files to support it. Content is poorly organized with redundant sections (Overview restates the intro, Instructions is generic filler). No clear navigation structure or separation of concerns. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
69c73e9
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.