auditing-terraform-infrastructure-for-security
Auditing Terraform infrastructure-as-code for security misconfigurations using Checkov, tfsec, Terrascan, and OPA/Rego policies to detect overly permissive IAM policies, public resource exposure, missing encryption, and insecure defaults before cloud deployment.
73
62%
Does it follow best practices?
Impact
91%
1.35xAverage score across 3 eval scenarios
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/auditing-terraform-infrastructure-for-security/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong description with excellent specificity, naming concrete tools and specific security issues to detect. The trigger term coverage is comprehensive with domain-appropriate keywords. The main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill over others.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks to scan Terraform code for security issues, run Checkov/tfsec/Terrascan, review IaC security posture, or check cloud infrastructure configurations for vulnerabilities.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: auditing Terraform IaC, detecting overly permissive IAM policies, public resource exposure, missing encryption, and insecure defaults. Also names specific tools: Checkov, tfsec, Terrascan, and OPA/Rego policies. | 3 / 3 |
Completeness | The 'what' is thoroughly covered with specific tools and detection targets, but there is no explicit 'Use when...' clause or equivalent trigger guidance. The timing is only implied by the phrase 'before cloud deployment', which is not a clear trigger instruction for Claude. | 2 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'Terraform', 'security', 'Checkov', 'tfsec', 'Terrascan', 'OPA', 'Rego', 'IAM policies', 'encryption', 'cloud deployment', 'infrastructure-as-code'. These are terms a user working in this domain would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: Terraform security auditing with specific named tools (Checkov, tfsec, Terrascan, OPA/Rego). This is unlikely to conflict with general coding, general security, or other IaC skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides highly actionable, executable guidance across multiple IaC security tools with real commands and complete code examples. However, it is excessively verbose — explaining basic concepts Claude already knows, duplicating tool descriptions, and inlining content that should be in separate files. The workflow lacks validation checkpoints and feedback loops for handling scan results and false positives.
Suggestions
Remove the 'Key Concepts' table entirely — Claude knows what IaC, shift-left security, and Terraform plans are. Remove or drastically trim the 'Tools & Systems' section since the tools are already demonstrated in the workflow.
Add explicit validation checkpoints: after each scan step, include guidance on reviewing results, triaging false positives, and verifying that fixes resolve findings before proceeding.
Split the OPA/Rego policies, CI/CD pipeline YAML, and output format template into separate referenced files (e.g., POLICIES.md, CICD.md, OUTPUT_FORMAT.md) to improve progressive disclosure.
Consolidate redundant command variations — show one primary command per tool with the most useful flags, and note alternative flags inline rather than listing 6-7 separate invocations per tool.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at ~250+ lines. The 'Key Concepts' table explains things Claude already knows (what IaC is, what 'shift left' means, what a Terraform plan is). The 'Tools & Systems' section repeats information already demonstrated in the workflow. The 'When to Use' and 'Do not use' sections are unnecessarily detailed. Multiple redundant command variations are shown without clear justification. | 1 / 3 |
Actionability | Provides fully executable bash commands, complete Rego policy files, a working GitHub Actions YAML pipeline, and concrete CLI invocations with real flags and options. All code examples are copy-paste ready with real tool names, check IDs, and output formats. | 3 / 3 |
Workflow Clarity | Steps are clearly sequenced (1-6) and logically ordered from scanning through CI/CD integration. However, there are no validation checkpoints or feedback loops between steps — no guidance on what to do when scans disagree, how to verify fixes actually resolve findings, or how to handle false positives systematically. The state scanning step (Step 6) involves potentially destructive triage but lacks verification steps. | 2 / 3 |
Progressive Disclosure | Monolithic wall of content with no references to external files. Everything is inline — the OPA policies, the CI/CD pipeline, the output format template, the scenario walkthrough, and the glossary table could all be split into separate referenced files. With no bundle files provided, this is a missed opportunity for better organization of a very long skill. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0f429d0
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.