auditing-gcp-iam-permissions
Auditing Google Cloud Platform IAM permissions to identify overly permissive bindings, primitive role usage, service account key proliferation, and cross-project access risks using gcloud CLI, Policy Analyzer, and IAM Recommender.
78
73%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/auditing-gcp-iam-permissions/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific description that clearly communicates the skill's capabilities and domain. The main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. The specificity and distinctiveness are excellent, with concrete actions and tool names that clearly define the skill's niche.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about GCP IAM security audits, reviewing cloud permissions, checking for overprivileged roles, or analyzing service account keys.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: auditing IAM permissions, identifying overly permissive bindings, primitive role usage, service account key proliferation, and cross-project access risks. Also names specific tools: gcloud CLI, Policy Analyzer, and IAM Recommender. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with detailed capabilities, but lacks an explicit 'Use when...' clause or equivalent trigger guidance. The 'when' is only implied by the nature of the described actions, which per the rubric caps completeness at 2. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'Google Cloud Platform', 'IAM permissions', 'overly permissive', 'service account key', 'cross-project access', 'gcloud CLI', 'Policy Analyzer', 'IAM Recommender'. These cover the domain well and match how practitioners talk about GCP IAM auditing. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: GCP IAM permission auditing specifically. The combination of GCP-specific tools and IAM security concerns makes it very unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid, highly actionable skill with comprehensive gcloud CLI commands covering the full IAM audit lifecycle. Its main weaknesses are the lack of validation checkpoints around destructive remediation operations (removing bindings, deleting keys) and some verbosity in definitional sections that Claude doesn't need. The monolithic structure could benefit from splitting reference material into separate files.
Suggestions
Add explicit validation steps in Step 6 remediation: verify new predefined roles grant needed access before removing primitive roles, and confirm service accounts are truly unused before disabling them.
Remove or significantly trim the Key Concepts table and Tools & Systems section—Claude already knows what primitive roles and predefined roles are; focus only on non-obvious project-specific conventions.
Split the Output Format template and Common Scenarios into separate referenced files (e.g., REPORT_TEMPLATE.md, SCENARIOS.md) to reduce the main skill's token footprint.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is fairly comprehensive but includes some unnecessary content like the Key Concepts table defining terms Claude already knows (e.g., what a primitive role is, what a predefined role is). The Tools & Systems section also restates obvious descriptions. However, the code examples themselves are lean and purposeful. | 2 / 3 |
Actionability | Every step includes fully executable gcloud CLI commands with concrete flags, format strings, and inline Python processing scripts. The commands are copy-paste ready with clear placeholder conventions (ORG_ID, PROJECT_ID, SA_EMAIL). The remediation step includes specific add/remove binding commands. | 3 / 3 |
Workflow Clarity | The 6-step workflow is clearly sequenced from enumeration through remediation, but Step 6 (remediation) involves destructive operations (removing IAM bindings, deleting keys, disabling service accounts) without explicit validation checkpoints or feedback loops. There's no 'verify the binding was correctly replaced before removing the old one' step, and no rollback guidance. | 2 / 3 |
Progressive Disclosure | The content is a monolithic document with no references to external files for detailed content. The Common Scenarios section, Key Concepts table, and Output Format template could be split into separate reference files. However, the internal structure with clear headers and logical sections provides reasonable navigability. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.