CtrlK
BlogDocsLog inGet started
Tessl Logo

auditing-gcp-iam-permissions

Auditing Google Cloud Platform IAM permissions to identify overly permissive bindings, primitive role usage, service account key proliferation, and cross-project access risks using gcloud CLI, Policy Analyzer, and IAM Recommender.

62

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The skill body is highly actionable with executable gcloud/Python examples and a clear six-step workflow, but it is weakened by verbose concept/output padding, missing validation feedback loops around destructive remediation, and bundle files that are never referenced from the body.

Suggestions

Add explicit validation/feedback checkpoints around Step 6's destructive operations (e.g., verify recommender state and re-query bindings after each remediation before proceeding).

Link the existing bundle files from the body — reference references/api-reference.md for the Python client equivalents and scripts/agent.py for automation — so progressive disclosure is actually surfaced.

Trim the 'Key Concepts' table and the mock 'Output Format' report to the essential fields to reduce token bulk.

DimensionReasoningScore

Conciseness

The body is mostly efficient executable commands, but the 'Key Concepts' table and the large mock 'Output Format' report add explanatory/padded material that could be tightened. Not a 3 because of this extra bulk, and not a 1 because it avoids explaining basic concepts Claude already knows.

2 / 3

Actionability

Dense with fully executable, copy-paste-ready gcloud commands and Python snippets with clearly marked placeholders (ORG_ID, PROJECT_ID), matching the 'fully executable code/commands' anchor. Not a 2 because the guidance is concrete and complete rather than pseudocode or abstract.

3 / 3

Workflow Clarity

Six steps are clearly sequenced, but Step 6 performs destructive/batch remediation (remove-iam-policy-binding, key deletion, SA disable) and Steps 2/5 loop over all service accounts with no validation or validate-fix-retry feedback loops. Per the rubric, missing feedback loops for destructive/batch operations caps this at 2. Not a 3 due to the absent checkpoints.

2 / 3

Progressive Disclosure

The body is well-organized into sections, but bundle files exist (references/api-reference.md, scripts/agent.py) and are never linked or signaled from the body, while API detail that could live in the reference is inlined. Not a 1 because the body is sectioned rather than a monolithic wall of text, and not a 3 because the provided references are not surfaced.

2 / 3

Total

9

/

12

Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is specific, well-targeted, and clearly distinguishable, with good natural trigger terms and concrete actions. Its main weakness is the absence of an explicit 'Use when...' trigger clause, which caps completeness at 2.

Suggestions

Append an explicit 'Use when...' clause, e.g. 'Use when auditing GCP IAM for over-permissive bindings, primitive roles, or service-account key sprawl across an organization or project.'

Prefer the common shorthand 'GCP' alongside 'Google Cloud Platform' so the description matches how users actually phrase the request.

DimensionReasoningScore

Specificity

Lists multiple concrete actions and findings — 'identify overly permissive bindings, primitive role usage, service account key proliferation, and cross-project access risks' — plus three named tools (gcloud CLI, Policy Analyzer, IAM Recommender), matching the 'lists multiple specific concrete actions' anchor.

3 / 3

Completeness

The 'what' is clearly answered, but there is no 'Use when...' clause or equivalent explicit trigger guidance; per the judging guidelines a missing trigger clause caps completeness at 2. Not a 3 because 'when' is only implied by the topic, and not a 1 because the 'what' is strong.

2 / 3

Trigger Term Quality

Natural terms a user would say are well covered: 'Google Cloud Platform IAM permissions', 'gcloud CLI', 'Policy Analyzer', 'IAM Recommender', 'service account', 'primitive role'. Not a 2 because common variations are present rather than just a single relevant keyword.

3 / 3

Distinctiveness Conflict Risk

Occupies a clear niche (GCP IAM permission auditing) with distinct tool-based triggers unlikely to fire for unrelated skills. Not a 2 because the scope is tightly bounded to GCP IAM rather than overlapping with generic cloud or document skills.

3 / 3

Total

11

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.