ark-pentest-issue-resolver
Resolve common penetration testing issues in Ark. Use when fixing security vulnerabilities from pentest reports, security audits, or OWASP Top 10 issues.
76
66%
Does it follow best practices?
Impact
96%
1.04xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./.claude/skills/pentest-issue-resolver/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description is well-structured with a clear 'Use when' clause and good trigger term coverage for security-related queries. Its main weakness is the lack of specific concrete actions—it says 'resolve common penetration testing issues' without enumerating what kinds of fixes it performs (e.g., XSS remediation, SQL injection fixes, CSRF protection). Overall it is a solid description that could be improved with more specificity about capabilities.
Suggestions
Add specific concrete actions such as 'fix XSS vulnerabilities, remediate SQL injection, address CSRF issues, harden authentication' to improve specificity.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain ('penetration testing issues in Ark') and a general action ('resolve'/'fixing'), but does not list multiple specific concrete actions like patching XSS, fixing SQL injection, hardening authentication, etc. | 2 / 3 |
Completeness | Clearly answers both 'what' (resolve common penetration testing issues in Ark) and 'when' (explicit 'Use when' clause covering pentest reports, security audits, and OWASP Top 10 issues). | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms users would say: 'penetration testing', 'pentest reports', 'security audits', 'OWASP Top 10', 'security vulnerabilities'. These cover common variations of how users would describe this need. | 3 / 3 |
Distinctiveness Conflict Risk | Scoped specifically to 'Ark' and penetration testing remediation, which creates a clear niche. The combination of the specific product name and security testing context makes it unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill is a comprehensive security reference with excellent, executable code examples across multiple languages and frameworks, but it is far too verbose for a SKILL.md file. It reproduces general OWASP knowledge that Claude already possesses rather than focusing on Ark-specific patterns, file locations, and the resolution workflow. The content would benefit enormously from splitting vulnerability details into separate reference files and keeping only the workflow, Ark-specific context, and navigation in the main skill.
Suggestions
Extract each vulnerability category (SQL Injection, XSS, etc.) into separate reference files (e.g., `vulns/sql-injection.md`) and keep only a concise lookup table with Ark-specific file paths in SKILL.md.
Remove generic vulnerability descriptions ('Attacker can inject malicious SQL queries...') since Claude already knows these concepts—focus only on Ark-specific detection patterns, file locations, and project-specific mitigation approaches.
Integrate the testing checklist directly into the workflow as explicit validation checkpoints (e.g., after Step 5, require running specific security tests before proceeding to PR creation).
Reduce the main SKILL.md to under 100 lines: workflow steps, Ark component mapping, keyword-to-category table, and links to detailed per-vulnerability reference files.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at 700+ lines. Explains well-known security concepts (what SQL injection is, what XSS is, what CSRF is) that Claude already knows. Descriptions like 'Attacker can inject malicious SQL queries through user input' add no value. The entire OWASP Top 10 is essentially reproduced here with basic explanations, when only Ark-specific patterns and file locations would be novel information. | 1 / 3 |
Actionability | Provides fully executable code examples across Python, Go, JavaScript, Bash, YAML, and Dockerfile formats. Detection patterns, grep commands, and mitigation code are all copy-paste ready with concrete library imports and function implementations. | 3 / 3 |
Workflow Clarity | The 7-step workflow (Steps 1-7) is clearly sequenced and includes a validation step (Step 6) and user approval gate (Step 4). However, the validation step is thin—just 'make test' and comments—with no explicit feedback loop for re-checking after fixes. The testing checklist is helpful but separated from the workflow rather than integrated as checkpoints. | 2 / 3 |
Progressive Disclosure | Monolithic wall of text with all 15 vulnerability categories fully detailed inline. This content desperately needs splitting—each vulnerability category could be a separate reference file, with SKILL.md providing only the workflow, Ark-specific context, and a lookup table. The keyword mapping table and resources section are useful but buried at the bottom of an enormous document. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (1013 lines); consider splitting into references/ and linking | Warning |
Total | 10 / 11 Passed | |
- Repository
- mckinsey/agents-at-scale-ark
- Commit
f4bfd2d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.