auditing-gcp-iam-permissions

Auditing Google Cloud Platform IAM permissions to identify overly permissive bindings, primitive role usage, service account key proliferation, and cross-project access risks using gcloud CLI, Policy Analyzer, and IAM Recommender.

Quality

73%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Passed

No known issues

Optimize this skill with Tessl

npx tessl skill review --optimize ./skills/auditing-gcp-iam-permissions/SKILL.md

Quality

Content

64%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a solid, actionable GCP IAM auditing skill with comprehensive, executable gcloud CLI commands covering the full audit lifecycle. Its main weaknesses are the lack of validation checkpoints before destructive remediation actions (Step 6) and the monolithic structure that could benefit from splitting reference material into separate files. Some content like the Key Concepts glossary explains things Claude already knows, adding unnecessary token cost.

Suggestions

Add explicit validation checkpoints in Step 6 before destructive operations — e.g., 'Apply predefined roles first, verify access with Policy Analyzer, then remove primitive roles only after confirming no access denied errors in audit logs.'

Move the Key Concepts table, Common Scenarios, and Output Format template into separate referenced files to improve progressive disclosure and reduce the main skill's token footprint.

Remove or significantly trim the Key Concepts table — Claude already knows what primitive roles, predefined roles, and service account keys are.

Dimension	Reasoning	Score
Conciseness	The skill is fairly comprehensive but includes some unnecessary content like the Key Concepts table defining terms Claude already knows (e.g., what a Primitive Role or Predefined Role is). The 'When to Use' section is useful but the negative cases add moderate bloat. The Common Scenarios section, while helpful, adds length that could be trimmed.	2 / 3
Actionability	The skill provides fully executable gcloud CLI commands throughout all six steps, with concrete flags, output formats, and inline Python scripts for processing results. Commands are copy-paste ready with clear placeholder conventions (ORG_ID, PROJECT_ID, etc.).	3 / 3
Workflow Clarity	The six steps are clearly sequenced and logically ordered from enumeration through remediation. However, Step 6 applies destructive changes (removing IAM bindings, deleting keys, disabling service accounts) without explicit validation checkpoints or feedback loops — there's no 'verify the new bindings work before removing the old ones' step, and the Common Scenarios section mentions a testing period but the actual workflow doesn't enforce it.	2 / 3
Progressive Disclosure	The content is a monolithic document with no references to external files for detailed content. The Key Concepts table, Common Scenarios section, and Output Format template could be split into separate reference files. For a skill of this length (~200+ lines), the lack of any progressive disclosure structure is a weakness, though the internal section organization is reasonable.	2 / 3
	Total	9 / 12 Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a strong, highly specific description that clearly articulates concrete capabilities and uses domain-appropriate terminology that practitioners would naturally use. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. Adding trigger guidance would elevate this from good to excellent.

Suggestions

Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about GCP IAM auditing, reviewing cloud permissions, checking for overly permissive roles, or analyzing service account security.'

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions: auditing IAM permissions, identifying overly permissive bindings, primitive role usage, service account key proliferation, and cross-project access risks. Also names specific tools: gcloud CLI, Policy Analyzer, and IAM Recommender.	3 / 3
Completeness	Clearly answers 'what does this do' with detailed capabilities, but lacks an explicit 'Use when...' clause or equivalent trigger guidance. The 'when' is only implied by the nature of the described actions, which caps this at 2 per the rubric guidelines.	2 / 3
Trigger Term Quality	Includes strong natural keywords users would say: 'Google Cloud Platform', 'IAM permissions', 'overly permissive', 'service account key', 'cross-project access', 'gcloud CLI', 'Policy Analyzer', 'IAM Recommender'. These cover the domain well and match how practitioners talk about GCP IAM auditing.	3 / 3
Distinctiveness Conflict Risk	Highly specific niche targeting GCP IAM auditing with distinct triggers like 'primitive role usage', 'service account key proliferation', and named GCP-specific tools. Very unlikely to conflict with other skills.	3 / 3
	Total	11 / 12 Passed

Validation

90%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 10 / 11 Passed

Validation for skill structure

Criteria	Description	Result
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning

	Total	10 / 11 Passed

Repository: mukul975/Anthropic-Cybersecurity-Skills
Commit: 0445030

Reviewed: 7 days ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.