auditing-gcp-iam-permissions
Auditing Google Cloud Platform IAM permissions to identify overly permissive bindings, primitive role usage, service account key proliferation, and cross-project access risks using gcloud CLI, Policy Analyzer, and IAM Recommender.
78
73%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/auditing-gcp-iam-permissions/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific description that clearly defines the skill's capabilities and tools within a well-defined niche. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. The technical specificity and natural keyword coverage are excellent.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about GCP IAM auditing, reviewing cloud permissions, checking for overly permissive roles, or analyzing service account security.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: auditing IAM permissions, identifying overly permissive bindings, primitive role usage, service account key proliferation, and cross-project access risks. Also names specific tools: gcloud CLI, Policy Analyzer, and IAM Recommender. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with specific auditing actions and tools, but lacks an explicit 'Use when...' clause or equivalent trigger guidance. The 'when' is only implied by the nature of the described actions. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'Google Cloud Platform', 'IAM permissions', 'overly permissive', 'service account key', 'cross-project access', 'gcloud CLI', 'Policy Analyzer', 'IAM Recommender'. These cover the domain well and match how practitioners talk about GCP IAM auditing. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: GCP IAM permission auditing specifically. The combination of platform (GCP), domain (IAM), activity (auditing), and specific tools makes it very unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid, highly actionable GCP IAM auditing skill with comprehensive executable commands covering the full audit lifecycle. Its main weaknesses are the lack of validation checkpoints around destructive remediation operations (removing bindings, deleting keys) and some unnecessary verbosity in definitional sections that Claude doesn't need. The monolithic structure could benefit from splitting reference material into separate files.
Suggestions
Add explicit validation checkpoints in Step 6 before destructive operations: verify new predefined roles grant needed access before removing primitive roles, confirm service account is truly unused before disabling.
Remove or significantly trim the Key Concepts table and Tools & Systems section—Claude already knows what primitive roles and predefined roles are; keep only non-obvious definitions like domain-wide delegation risks.
Split the Common Scenarios section and Output Format template into separate referenced files (e.g., SCENARIOS.md, REPORT_TEMPLATE.md) to reduce the main skill's token footprint.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is fairly comprehensive but includes some unnecessary content like the Key Concepts table defining terms Claude already knows (e.g., what a primitive role is, what a predefined role is). The Tools & Systems section also restates obvious descriptions. However, the core workflow commands are lean and useful. | 2 / 3 |
Actionability | Every step provides fully executable gcloud CLI commands with specific flags, output formats, and inline Python processing scripts. The commands are copy-paste ready with clear placeholder values (ORG_ID, PROJECT_ID, etc.) and cover the complete audit workflow from enumeration through remediation. | 3 / 3 |
Workflow Clarity | The six steps are logically sequenced and cover the full audit lifecycle. However, Step 6 (remediation) involves destructive operations (removing IAM bindings, deleting keys, disabling service accounts) without explicit validation checkpoints or rollback guidance. There's no 'verify the binding was correctly replaced before removing the old one' step, which should cap this at 2 per the rubric's feedback loop requirement for destructive changes. | 2 / 3 |
Progressive Disclosure | The content is a monolithic document at ~200+ lines with no references to external files for detailed content. The Key Concepts table, Common Scenarios section, and Output Format template could be split into separate reference files. The structure within the file is good with clear headers, but everything is inline. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.