soc2-compliance-checker
Soc2 Compliance Checker - Auto-activating skill for Security Advanced. Triggers on: soc2 compliance checker, soc2 compliance checker Part of the Security Advanced skill category.
36
3%
Does it follow best practices?
Impact
96%
1.02xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./planned-skills/generated/04-security-advanced/soc2-compliance-checker/SKILL.mdQuality
Discovery
7%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is essentially a placeholder that provides no meaningful information about what the skill does or when it should be used. It repeats the skill name as its only trigger term and lacks any concrete actions, capabilities, or explicit usage guidance. It would be nearly impossible for Claude to make an informed decision about selecting this skill from a pool of available skills.
Suggestions
Add specific concrete actions the skill performs, e.g., 'Evaluates codebases and infrastructure configurations against SOC 2 Trust Services Criteria, checks access controls, audits logging practices, and identifies compliance gaps.'
Add an explicit 'Use when...' clause with natural trigger terms, e.g., 'Use when the user asks about SOC 2 compliance, security audits, trust services criteria, access control reviews, or compliance readiness assessments.'
Expand trigger terms to include natural variations users would say, such as 'SOC 2', 'SOC2 audit', 'compliance check', 'security compliance', 'trust services', 'Type I', 'Type II'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description provides no concrete actions. It only names itself ('Soc2 Compliance Checker') and states it's 'auto-activating' and part of 'Security Advanced' but never describes what it actually does — no verbs like 'checks', 'audits', 'validates', or any specific capabilities. | 1 / 3 |
Completeness | The description fails to answer both 'what does this do' and 'when should Claude use it'. There is no explanation of capabilities and no explicit 'Use when...' clause — only a redundant trigger phrase that restates the skill name. | 1 / 3 |
Trigger Term Quality | The trigger terms listed are just the skill name repeated twice ('soc2 compliance checker, soc2 compliance checker'). There are no natural user keywords like 'SOC 2 audit', 'compliance review', 'security controls', 'trust services criteria', or other terms a user would naturally use. | 1 / 3 |
Distinctiveness Conflict Risk | The mention of 'Soc2' and 'Security Advanced' provides some domain specificity that narrows the scope, but the lack of concrete actions or detailed triggers means it could still overlap with other security or compliance-related skills. | 2 / 3 |
Total | 5 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is essentially a placeholder with no actual content. It contains only generic boilerplate descriptions that could apply to any skill topic, with zero SOC2-specific knowledge, no compliance frameworks, no checklists, no code, and no actionable guidance whatsoever. It fails on every dimension of the rubric.
Suggestions
Add concrete SOC2 Trust Service Criteria (TSC) checklists covering Security, Availability, Processing Integrity, Confidentiality, and Privacy with specific controls to verify.
Include executable code or scripts for automated compliance checks (e.g., AWS/GCP policy validation, access control audits, logging verification).
Define a clear multi-step compliance assessment workflow with validation checkpoints, such as: scope definition → evidence collection → gap analysis → remediation → re-validation.
Add references to detailed sub-files for specific SOC2 domains (e.g., ACCESS_CONTROLS.md, LOGGING_AUDIT.md, ENCRYPTION_STANDARDS.md) rather than keeping everything generic.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is entirely filler with no substantive information. It explains nothing Claude doesn't already know and provides zero domain-specific knowledge about SOC2 compliance checking. | 1 / 3 |
Actionability | There are no concrete steps, commands, code examples, or specific guidance. Every section is vague and abstract — 'provides step-by-step guidance' without actually providing any steps. | 1 / 3 |
Workflow Clarity | No workflow is defined at all. There are no steps, no sequence, no validation checkpoints — just generic claims about capabilities without any actual process. | 1 / 3 |
Progressive Disclosure | The content is a flat, uninformative page with no references to detailed materials, no links to related files, and no structured navigation to deeper content. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
3076d78
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.