auditing-terraform-infrastructure-for-security
Auditing Terraform infrastructure-as-code for security misconfigurations using Checkov, tfsec, Terrascan, and OPA/Rego policies to detect overly permissive IAM policies, public resource exposure, missing encryption, and insecure defaults before cloud deployment.
73
62%
Does it follow best practices?
Impact
91%
1.01xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/auditing-terraform-infrastructure-for-security/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific description that names concrete tools and detection targets, making it very distinctive among skills. Its main weakness is the lack of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill. The trigger term coverage is excellent for the infrastructure security domain.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks to scan Terraform code for security issues, run Checkov/tfsec/Terrascan, review IaC for compliance, or check cloud infrastructure configurations before deployment.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: auditing Terraform IaC, detecting overly permissive IAM policies, public resource exposure, missing encryption, and insecure defaults. Also names specific tools: Checkov, tfsec, Terrascan, and OPA/Rego policies. | 3 / 3 |
Completeness | The 'what' is thoroughly covered with specific tools and detection targets, but there is no explicit 'Use when...' clause or equivalent trigger guidance. The 'when' is only implied by the phrase 'before cloud deployment'. Per rubric guidelines, missing explicit trigger guidance caps completeness at 2. | 2 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'Terraform', 'security', 'Checkov', 'tfsec', 'Terrascan', 'OPA', 'Rego', 'IAM policies', 'encryption', 'cloud deployment', 'infrastructure-as-code'. These are terms a user working in this domain would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: Terraform-specific security auditing using named tools (Checkov, tfsec, Terrascan, OPA/Rego). This is unlikely to conflict with general coding skills, generic security skills, or other IaC tools. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides highly actionable, executable content with real commands, policies, and CI/CD configurations, which is its primary strength. However, it is significantly bloated with unnecessary explanations of concepts Claude already knows (IaC definitions, tool descriptions), redundant command variations, and a monolithic structure that dumps everything into a single file. The workflow lacks explicit validation checkpoints and feedback loops for what is inherently a multi-step, iterative process.
Suggestions
Remove the 'Key Concepts' table entirely — Claude knows what IaC, shift-left security, and Terraform plans are. Remove the 'Tools & Systems' section as the tools are already demonstrated in the workflow.
Add explicit validation checkpoints between steps: after each scan, include a 'Review findings → fix critical issues → re-scan to confirm resolution' feedback loop before proceeding to the next tool.
Split content into separate files: move OPA policies to a POLICIES.md, CI/CD pipeline to CI_CD.md, the common scenario to SCENARIOS.md, and keep SKILL.md as a concise overview with references.
Trim redundant command variations — show one primary command per tool with the most useful flags, and reference a separate file for additional options.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at ~250+ lines. The 'Key Concepts' table explains things Claude already knows (what IaC is, what 'shift left' means, what a Terraform plan is). The 'Tools & Systems' section repeats information already demonstrated in the workflow. The 'When to Use' and 'Do not use' sections are unnecessarily detailed. Multiple redundant command variations are shown without clear justification. | 1 / 3 |
Actionability | Provides fully executable bash commands, complete Rego policy files, and a working GitHub Actions YAML pipeline. Commands are copy-paste ready with real flags and options, and the OPA policies are concrete and functional. | 3 / 3 |
Workflow Clarity | Steps are clearly sequenced (1-6) and logically ordered from scanning through CI/CD integration. However, there are no explicit validation checkpoints or feedback loops between steps — for example, no guidance on what to do when Checkov finds issues before proceeding to tfsec, or how to verify that fixes actually resolve findings before moving forward. | 2 / 3 |
Progressive Disclosure | Monolithic wall of content with no references to external files. Everything is inline — the OPA policies, the CI/CD pipeline, the common scenarios, the output format, and the glossary table could all be split into separate referenced files. No bundle files exist to support progressive disclosure. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0445030
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.