auditing-terraform-infrastructure-for-security
Auditing Terraform infrastructure-as-code for security misconfigurations using Checkov, tfsec, Terrascan, and OPA/Rego policies to detect overly permissive IAM policies, public resource exposure, missing encryption, and insecure defaults before cloud deployment.
69
62%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/auditing-terraform-infrastructure-for-security/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific description that clearly names concrete tools and security misconfigurations it detects. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. The description is well-written in third person and covers a distinct niche with excellent trigger terms.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks to scan Terraform code for security issues, run Checkov/tfsec/Terrascan, review IaC security posture, or check cloud infrastructure configurations before deployment.'
Consider mentioning file extensions or patterns like '.tf files', 'HCL', or 'Terraform plans' as additional natural trigger terms users might reference.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: auditing Terraform IaC, detecting overly permissive IAM policies, public resource exposure, missing encryption, insecure defaults. Also names specific tools: Checkov, tfsec, Terrascan, OPA/Rego. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with detailed capabilities and tools, but lacks an explicit 'Use when...' clause or equivalent trigger guidance. The 'when' is only implied by the phrase 'before cloud deployment'. Per rubric guidelines, missing explicit trigger guidance caps completeness at 2. | 2 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'Terraform', 'security', 'Checkov', 'tfsec', 'Terrascan', 'OPA', 'Rego', 'IAM policies', 'encryption', 'infrastructure-as-code', 'cloud deployment'. These are terms a user working in this domain would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: Terraform-specific security auditing with named tools (Checkov, tfsec, Terrascan, OPA/Rego). Unlikely to conflict with general coding, security, or other IaC skills due to the specificity of the domain and tooling. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill excels at actionability with comprehensive, executable code examples covering multiple tools and a complete CI/CD pipeline. However, it is severely bloated with unnecessary explanations of concepts Claude already knows (IaC definitions, shift-left security), redundant tool descriptions, and all content crammed into a single file. The workflow lacks explicit validation checkpoints between steps, which is important for security scanning operations that may produce hundreds of findings.
Suggestions
Remove the 'Key Concepts' table entirely—Claude knows what IaC, shift-left security, and Terraform plans are. Remove redundant tool descriptions from the 'Tools & Systems' section since each tool is already demonstrated in the workflow.
Extract the OPA/Rego policies into a separate POLICIES.md file, the CI/CD YAML into a CI_CD.md file, and the common scenarios into a SCENARIOS.md file, with clear one-level-deep references from the main skill.
Add explicit validation checkpoints between steps, e.g., 'Review Checkov output before proceeding—if CRITICAL findings exist, fix them before running tfsec' and 'Verify OPA policies pass before integrating into CI/CD'.
Trim the 'When to Use' and 'Do not use' sections to 2-3 bullet points maximum, removing obvious exclusions Claude can infer.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~250+ lines. It includes a 'Key Concepts' table explaining things like 'Infrastructure as Code' and 'Shift Left Security' that Claude already knows. The 'Tools & Systems' section redundantly describes tools already demonstrated in the workflow. The 'When to Use' and 'Do not use' sections are overly detailed for concepts Claude can infer. | 1 / 3 |
Actionability | The skill provides fully executable bash commands, complete Rego policy files, and a ready-to-use GitHub Actions YAML workflow. Every step includes copy-paste ready code with realistic flags and options. | 3 / 3 |
Workflow Clarity | Steps are clearly sequenced (scan with tool A, then B, then custom policies, then CI/CD integration), but there are no validation checkpoints or feedback loops between steps. There's no guidance on what to do when a scan fails mid-workflow, no 'verify results before proceeding' gates, and the state scanning step (Step 6) involves potentially destructive grep-based auditing without validation. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of text with no references to external files. The OPA policies, CI/CD YAML, common scenarios, output format, key concepts table, and tools descriptions are all inline when they could be split into separate reference files. The skill would benefit enormously from a concise overview pointing to detailed sub-documents. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
d388b31
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.