ark-pentest-issue-resolver
Resolve common penetration testing issues in Ark. Use when fixing security vulnerabilities from pentest reports, security audits, or OWASP Top 10 issues.
76
66%
Does it follow best practices?
Impact
96%
1.04xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./.claude/skills/pentest-issue-resolver/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a solid description with explicit 'Use when' triggers and good natural keywords covering penetration testing, security audits, and OWASP. Its main weakness is the lack of specific concrete actions—it says 'resolve' but doesn't enumerate what kinds of fixes or remediation steps are involved (e.g., fixing XSS, SQL injection, authentication issues).
Suggestions
Add specific concrete actions to improve specificity, e.g., 'Fixes XSS, SQL injection, CSRF, authentication flaws, and other common vulnerabilities found in Ark pentest reports.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain ('penetration testing issues in Ark') and a general action ('resolve'/'fixing'), but does not list multiple specific concrete actions. It mentions 'security vulnerabilities from pentest reports' but doesn't specify what kinds of fixes or what concrete steps are taken. | 2 / 3 |
Completeness | Clearly answers both 'what' (resolve common penetration testing issues in Ark) and 'when' (explicitly states 'Use when fixing security vulnerabilities from pentest reports, security audits, or OWASP Top 10 issues'). | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms users would say: 'penetration testing', 'pentest reports', 'security audits', 'OWASP Top 10', 'security vulnerabilities'. These cover common variations of how users would describe this need. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive due to the combination of 'Ark' (specific project/product), 'penetration testing', and 'OWASP Top 10'. This is unlikely to conflict with other skills given the narrow, well-defined niche. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill is a comprehensive security reference with excellent, executable code examples across multiple languages and frameworks, but it is far too verbose for a SKILL.md file. It explains fundamental security concepts Claude already knows (OWASP Top 10 definitions) and inlines ~600 lines of content that should be split across reference files. The Ark-specific context sections are the most valuable parts but are buried within generic security knowledge.
Suggestions
Extract each vulnerability category into a separate reference file (e.g., `vulnerabilities/sql-injection.md`) and keep SKILL.md as a concise overview with the workflow and links to each category.
Remove all 'Description' fields that explain what each vulnerability is—Claude already knows what SQL injection, XSS, CSRF, etc. are. Keep only Ark-specific detection patterns, file locations, and mitigations.
Consolidate the 'Ark Context' sections into a single Ark architecture/component map at the top, rather than repeating which directories to check under each vulnerability.
Add an explicit feedback loop in the workflow for when security tests fail (e.g., 'If tests fail, revisit Step 2 to check for additional vulnerable patterns').
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at 600+ lines. Explains well-known security concepts (what SQL injection is, what XSS is, what CSRF is) that Claude already knows. Descriptions like 'Attacker can inject malicious SQL queries through user input' add no value. The entire OWASP Top 10 is essentially reproduced here with basic explanations, when only Ark-specific patterns and file locations would be novel information. | 1 / 3 |
Actionability | Provides fully executable code examples across Python, Go, JavaScript, Bash, YAML, and Dockerfile formats. Detection patterns, grep commands, and mitigation code are all copy-paste ready with concrete library imports and function implementations. | 3 / 3 |
Workflow Clarity | The 7-step workflow (Steps 1-7) is clearly sequenced and includes a validation step (Step 6) and user approval gate (Step 4). However, the validation step is thin—just 'make test' and comments—with no explicit feedback loop for when security tests fail. The testing checklist is helpful but disconnected from the workflow steps. | 2 / 3 |
Progressive Disclosure | Monolithic wall of text with 15 vulnerability categories fully inlined. This content should be split into separate reference files (e.g., one per vulnerability category or grouped by component) with SKILL.md serving as an overview with the workflow and links. The keyword mapping table and Ark-specific considerations could also be separate files. No references to external files exist. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (1013 lines); consider splitting into references/ and linking | Warning |
Total | 10 / 11 Passed | |
- Repository
- mckinsey/agents-at-scale-ark
- Commit
fc5746e
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.