Name: security-fix
Rating: 67.2 (1 reviews)
Author: mattermost

security-fix

Orchestrates test-driven fixes for Mattermost security tickets (Jira/Atlassian) with a Staff Security Engineer mindset: failing secure-behavior tests first, then implementation, then security review and edge-case loops, then opening a non-draft PR that follows `.github/PULL_REQUEST_TEMPLATE.md` when present, with a vague public description (no exploit detail). Use when the user invokes /security-fix:security-fix with a mattermost.atlassian.net browse URL, MM-* security work, backend permission or authorization bugs, or asks for this security TDD workflow.

Quality

81%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Advisory

Suggest reviewing before use

Quality

Content

62%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a well-structured orchestration skill with excellent workflow clarity—the TDD phases, feedback loops, and success criteria are clearly defined. Its main weaknesses are the lack of concrete executable examples (no MCP call syntax, no test runner commands, no sub-agent prompt templates) and moderate verbosity in areas where Claude could infer intent. The PR description policy section with the comparison table is a strong, actionable addition.

Suggestions

Add concrete examples of sub-agent prompts or delegation calls so the orchestrator knows exactly what to pass to each phase's sub-agent.

Include a specific example of the Atlassian MCP call syntax for fetching ticket details (e.g., the actual tool call with parameters).

Add example test runner commands relevant to the Mattermost codebase (e.g., `make test-server` or `go test ./...`) so phases have executable verification steps.

Dimension	Reasoning	Score
Conciseness	The skill is reasonably well-structured but includes some redundancy—e.g., the anti-patterns section partially restates constraints already given in the phases, and some explanations (like what a Staff Security Engineer mindset means) could be trimmed. The PR description table is a nice touch but the surrounding prose is somewhat verbose.	2 / 3
Actionability	The skill provides a clear multi-phase workflow with defined roles and deliverables, but lacks concrete executable commands or code examples. There are no specific CLI commands for running tests, no example sub-agent prompts, and no concrete Atlassian MCP call syntax. The guidance is structured but remains at a procedural/descriptive level rather than copy-paste ready.	2 / 3
Workflow Clarity	The multi-step workflow is clearly sequenced across well-defined phases (1→2→3→loop back to 2→3), with explicit success criteria at each phase (tests must fail for the right reason, tests must pass, edge-case tests must fail then pass). The orchestrator checklist provides a clear summary, and the feedback loop between Phase 2 and Phase 3 is explicitly defined with clear termination conditions.	3 / 3
Progressive Disclosure	The content is well-organized with clear headings and sections, but it's a monolithic document with no references to supporting files. The PR template guidance, anti-patterns, and the detailed phase descriptions could benefit from being split into referenced files, especially given the document's length. However, no bundle files exist to reference.	2 / 3
	Total	9 / 12 Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is an excellent skill description that thoroughly covers what the skill does (a detailed TDD security fix workflow), when to use it (with multiple explicit triggers including a slash command and URL patterns), and is highly distinctive to Mattermost security engineering. The description is dense but informative, with strong trigger terms and clear differentiation from other potential skills.

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions: failing secure-behavior tests first, then implementation, then security review and edge-case loops, then opening a non-draft PR following a template with vague public description. Very detailed workflow steps.	3 / 3
Completeness	Clearly answers both 'what' (orchestrates TDD security fixes with specific workflow steps including tests, implementation, review, PR creation) and 'when' (explicit 'Use when' clause with multiple specific trigger conditions).	3 / 3
Trigger Term Quality	Includes highly specific natural trigger terms: '/security-fix:security-fix', 'mattermost.atlassian.net browse URL', 'MM-* security work', 'backend permission or authorization bugs', 'security TDD workflow', 'Jira/Atlassian'. These cover the natural ways a user would invoke this skill.	3 / 3
Distinctiveness Conflict Risk	Extremely niche and distinctive: targets Mattermost security tickets specifically, references specific Jira URLs (mattermost.atlassian.net), MM-* ticket patterns, and a specific slash command. Very unlikely to conflict with other skills.	3 / 3
	Total	12 / 12 Passed

Validation

90%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 10 / 11 Passed

Validation for skill structure

Criteria	Description	Result
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning

	Total	10 / 11 Passed

Repository: mattermost/mattermost-ai-marketplace
Commit: 83f690a

Reviewed: 18 days ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.