security-fix
Orchestrates test-driven fixes for Mattermost security tickets (Jira/Atlassian) with a Staff Security Engineer mindset: failing secure-behavior tests first, then implementation, then security review and edge-case loops, then opening a non-draft PR that follows `.github/PULL_REQUEST_TEMPLATE.md` when present, with a vague public description (no exploit detail). Use when the user invokes /security-fix:security-fix with a mattermost.atlassian.net browse URL, MM-* security work, backend permission or authorization bugs, or asks for this security TDD workflow.
67
81%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines a highly specific workflow (security TDD for Mattermost), lists concrete actions in sequence, and provides explicit trigger conditions including command names, URL patterns, and task types. The description is detailed without being padded, uses third person voice correctly, and would be easily distinguishable from any other skill in a large collection.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: failing secure-behavior tests first, then implementation, then security review and edge-case loops, then opening a non-draft PR following a template with vague public description. Very detailed workflow steps. | 3 / 3 |
Completeness | Clearly answers both 'what' (orchestrates test-driven fixes for security tickets with specific workflow steps) and 'when' (explicit 'Use when' clause listing multiple trigger scenarios including command invocation, URL patterns, and task types). | 3 / 3 |
Trigger Term Quality | Includes highly specific natural trigger terms: '/security-fix:security-fix', 'mattermost.atlassian.net browse URL', 'MM-* security work', 'backend permission or authorization bugs', 'security TDD workflow', 'Jira/Atlassian'. These cover the natural ways a user would invoke this skill. | 3 / 3 |
Distinctiveness Conflict Risk | Extremely niche and distinctive: targets Mattermost security tickets specifically, references a specific slash command, Atlassian URLs with MM-* patterns, and a particular TDD security workflow. Very unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
62%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured orchestration skill with excellent workflow clarity—the TDD phases, feedback loops, and validation checkpoints are clearly defined. Its main weaknesses are the lack of concrete executable examples (no MCP call syntax, no test runner commands, no sub-agent prompt templates) and moderate verbosity in areas where Claude could infer intent. The PR description policy with the comparison table is a strong, actionable addition.
Suggestions
Add a concrete example of the Atlassian MCP call to fetch ticket details (e.g., exact tool name and parameters) to improve actionability.
Include an example sub-agent prompt/delegation call for at least Phase 1 so the orchestrator knows the exact format to use when spawning sub-agents.
Trim redundancy between the phase descriptions and the anti-patterns section—several anti-patterns simply restate constraints already embedded in the phases.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably well-structured but includes some redundancy—e.g., the anti-patterns section partially restates constraints already given in the phases, and some explanations (like what a Staff Security Engineer mindset means) could be trimmed. The PR description table is a nice touch but the surrounding prose is somewhat verbose. | 2 / 3 |
Actionability | The skill provides a clear multi-phase workflow with defined roles and deliverables, but lacks concrete executable commands or code examples. There are no specific CLI commands for running tests, no example sub-agent prompts, and no concrete Atlassian MCP call syntax. The guidance is structured but remains at a procedural/descriptive level rather than copy-paste ready. | 2 / 3 |
Workflow Clarity | The multi-step workflow is clearly sequenced across well-defined phases (1→2→3→loop back to 2→3), with explicit success criteria at each phase (tests must fail for the right reason, tests must pass, edge-case tests must fail then pass). The orchestrator checklist provides a numbered summary, and the feedback loop between Phase 2 and Phase 3 is explicitly defined with clear termination conditions. | 3 / 3 |
Progressive Disclosure | The content is well-organized with clear headings and sections, but it's a monolithic document with no references to supporting files. The PR template guidance, anti-patterns, and the detailed phase descriptions could benefit from being split into referenced sub-documents, especially given the document's length. However, no bundle files exist to reference, which limits options. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mattermost/mattermost-ai-marketplace
- Commit
349d5ed
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.