ark-pentest-issue-resolver
Resolve common penetration testing issues in Ark. Use when fixing security vulnerabilities from pentest reports, security audits, or OWASP Top 10 issues.
76
66%
Does it follow best practices?
Impact
96%
1.04xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./.claude/skills/pentest-issue-resolver/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a solid description with explicit 'Use when' triggers and good natural keywords covering penetration testing, security audits, and OWASP. Its main weakness is the lack of specific concrete actions—it says 'resolve' issues but doesn't enumerate what kinds of fixes or remediation steps are involved (e.g., fixing XSS, SQL injection, CSRF, authentication issues).
Suggestions
Add specific concrete actions to improve specificity, e.g., 'Fixes XSS, SQL injection, CSRF, authentication flaws, and other common vulnerabilities found in Ark pentest reports.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain ('penetration testing issues in Ark') and a general action ('resolve'/'fixing'), but does not list multiple specific concrete actions. It mentions 'security vulnerabilities from pentest reports' but doesn't specify what kinds of fixes or what concrete steps are taken. | 2 / 3 |
Completeness | Clearly answers both 'what' (resolve common penetration testing issues in Ark) and 'when' (explicitly states 'Use when fixing security vulnerabilities from pentest reports, security audits, or OWASP Top 10 issues'). | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms users would say: 'penetration testing', 'pentest reports', 'security audits', 'OWASP Top 10', 'security vulnerabilities'. These cover common variations of how users would describe this need. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive due to the combination of 'Ark' (specific project/product), 'penetration testing', and 'OWASP Top 10'. This is unlikely to conflict with other skills given the narrow, well-defined niche. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill is a comprehensive but extremely verbose security reference that explains many concepts Claude already knows well. Its strength is highly actionable, executable code examples across multiple languages with Ark-specific context sprinkled in. Its critical weakness is poor token efficiency — this could be reduced to ~20% of its size by removing generic security descriptions and splitting vulnerability details into separate reference files.
Suggestions
Reduce to a concise overview (~50-80 lines) with the workflow steps and keyword mapping table, moving each vulnerability category into separate reference files (e.g., sql-injection.md, xss.md) linked from the main skill.
Remove all 'Description' fields that explain what each vulnerability is — Claude already knows what SQL injection, XSS, CSRF, etc. are. Keep only detection patterns, mitigations, and Ark-specific context.
Integrate the testing checklist directly into the workflow as explicit validation checkpoints with feedback loops (e.g., 'If bandit finds issues → fix and re-run before proceeding').
Add a brief summary table at the top mapping vulnerability categories to Ark components and file paths, so Claude can quickly identify where to look without reading the entire document.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | This is extremely verbose at 600+ lines. It explains well-known security concepts (what SQL injection is, what XSS is, what CSRF is) that Claude already knows thoroughly. The descriptions like 'Attacker can inject malicious SQL queries through user input' add zero value. Most of the content is generic OWASP knowledge repackaged with minimal Ark-specific context. | 1 / 3 |
Actionability | The skill provides fully executable, copy-paste ready code examples across Python, Go, JavaScript, Bash, YAML, and Dockerfile formats. Detection patterns and mitigations are concrete with specific grep commands, library imports, and complete function implementations. | 3 / 3 |
Workflow Clarity | The 7-step workflow at the end is clearly sequenced and includes a validation step (Step 6) and user approval checkpoint (Step 4). However, the workflow lacks explicit feedback loops for when fixes fail validation or tests, and the testing checklist is separated from the workflow rather than integrated as checkpoints. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of text with 15 vulnerability categories all inline. There are no bundle files, yet the content desperately needs to be split — each vulnerability category could be a separate reference file, with SKILL.md serving as a concise overview with links. The keyword mapping table and Ark-specific considerations could also be separate files. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (1013 lines); consider splitting into references/ and linking | Warning |
Total | 10 / 11 Passed | |
- Repository
- mckinsey/agents-at-scale-ark
- Commit
6b7c761
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.