auditing-terraform-infrastructure-for-security
Auditing Terraform infrastructure-as-code for security misconfigurations using Checkov, tfsec, Terrascan, and OPA/Rego policies to detect overly permissive IAM policies, public resource exposure, missing encryption, and insecure defaults before cloud deployment.
69
62%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/auditing-terraform-infrastructure-for-security/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong description with excellent specificity, naming concrete tools and specific security misconfigurations it detects. The main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. The domain-specific terminology provides excellent trigger term coverage for users working with Terraform security.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks to scan Terraform code for security issues, run static analysis on .tf files, or check infrastructure-as-code for compliance.'
Consider adding file extension triggers like '.tf', '.tfvars', or 'HCL' to capture additional natural user terms.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: auditing Terraform IaC, detecting overly permissive IAM policies, public resource exposure, missing encryption, insecure defaults. Also names specific tools: Checkov, tfsec, Terrascan, OPA/Rego. | 3 / 3 |
Completeness | The 'what' is thoroughly covered with specific tools and detection targets, but there is no explicit 'Use when...' clause or equivalent trigger guidance. The 'when' is only implied by the phrase 'before cloud deployment'. Per rubric guidelines, missing explicit trigger guidance caps completeness at 2. | 2 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'Terraform', 'security', 'Checkov', 'tfsec', 'Terrascan', 'OPA', 'Rego', 'IAM policies', 'encryption', 'infrastructure-as-code', 'cloud deployment'. These are terms a user working in this domain would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: Terraform security auditing with specific named tools (Checkov, tfsec, Terrascan, OPA/Rego). This is unlikely to conflict with other skills due to the very specific domain and tooling mentioned. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill excels at actionability with concrete, executable code examples across multiple tools, but is severely undermined by verbosity and poor content organization. It explains concepts Claude already knows (IaC, shift-left security), includes redundant tool descriptions, and packs everything into a single monolithic document that would consume excessive context window. The workflow lacks validation feedback loops critical for security scanning operations.
Suggestions
Remove the 'Key Concepts' table entirely—Claude knows what IaC, shift-left security, and Terraform plans are. Remove the 'Tools & Systems' section as the tools are already demonstrated in the workflow.
Extract the Rego policy examples into a referenced file (e.g., CUSTOM_POLICIES.md), the CI/CD YAML into CI_CD_INTEGRATION.md, and the output format into a separate reference, keeping only a concise overview in the main skill.
Add explicit validation checkpoints: after each scan step, include a 'verify results → triage findings → fix critical → re-scan' feedback loop before proceeding to the next tool.
Trim the 'When to Use' / 'Do not use' and 'Common Scenarios' sections significantly—the scenario narrative is useful but overly long for a skill file.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~250+ lines. It includes a 'Key Concepts' table explaining things like 'Infrastructure as Code' and 'Shift Left Security' that Claude already knows. The 'Tools & Systems' section redundantly describes tools already demonstrated in the workflow. The 'When to Use' and 'Do not use' sections are overly detailed for Claude's intelligence level. | 1 / 3 |
Actionability | The skill provides fully executable bash commands, complete Rego policy files, and a ready-to-use GitHub Actions YAML workflow. Every step includes concrete, copy-paste-ready code with specific flags and options. | 3 / 3 |
Workflow Clarity | Steps are clearly sequenced (1-6) but lack validation checkpoints between steps. There's no feedback loop for when scans fail—no 'if findings exceed threshold, fix and re-scan' pattern. The state scanning step (Step 6) involves potentially sensitive operations without verification guidance. The CI/CD pipeline has soft_fail flags but no explicit guidance on interpreting or acting on failures. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of text with everything inline—detailed Rego policies, full CI/CD YAML, extensive CLI examples, a glossary table, and a lengthy output format example. The Rego policies, CI/CD configuration, and output format template should be in separate referenced files. No external file references are used despite the content clearly warranting them. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.