agent-security-manager
Agent skill for security-manager - invoke with $agent-security-manager
35
6%
Does it follow best practices?
Impact
82%
1.54xAverage score across 3 eval scenarios
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./.agents/skills/agent-security-manager/SKILL.mdQuality
Discovery
0%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is essentially a label with an invocation command and provides no useful information about what the skill does, when to use it, or what triggers should activate it. It fails on every dimension of the rubric and would be nearly impossible for Claude to correctly select from a pool of available skills.
Suggestions
Add concrete actions describing what the skill does, e.g., 'Scans code for security vulnerabilities, manages access permissions, audits authentication configurations.'
Add an explicit 'Use when...' clause with natural trigger terms, e.g., 'Use when the user asks about security vulnerabilities, access control, permissions, authentication, or code auditing.'
Remove the invocation instruction ('invoke with $agent-security-manager') from the description, as it is operational detail rather than selection-relevant information.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description provides no concrete actions whatsoever. 'Agent skill for security-manager' is entirely vague and does not describe what the skill actually does. | 1 / 3 |
Completeness | Neither 'what does this do' nor 'when should Claude use it' is answered. The description only states the invocation command, providing no functional or contextual information. | 1 / 3 |
Trigger Term Quality | The only keyword is 'security-manager', which is a tool name rather than a natural term a user would say. There are no natural language trigger terms like 'vulnerability', 'scan', 'permissions', etc. | 1 / 3 |
Distinctiveness Conflict Risk | The term 'security-manager' is generic and could overlap with many security-related skills. Without specific capabilities or triggers, it is indistinguishable from any other security-related tool. | 1 / 3 |
Total | 4 / 12 Passed |
Implementation
12%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is an extensive but non-actionable document that reads more like a software architecture design document than an operational skill for Claude. The code examples are illustrative pseudocode with numerous undefined dependencies, making none of it executable. The extreme verbosity (~500+ lines) wastes token budget explaining concepts Claude already understands while failing to provide concrete, copy-paste-ready guidance.
Suggestions
Replace illustrative pseudocode with executable code using real libraries (e.g., `noble-secp256k1` for threshold signatures, actual Node.js crypto APIs) or remove code entirely and provide concise algorithmic guidance.
Reduce content to under 100 lines focusing on decision points and configuration that Claude wouldn't already know—specific thresholds, protocol choices, and integration patterns unique to this system.
Add explicit validation checkpoints and error recovery steps for critical operations like key generation and rotation (e.g., 'Verify share checksums before proceeding to combination step').
Split detailed implementations (ZKP system, attack detection, key management) into separate referenced files and keep SKILL.md as a concise overview with navigation links.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at ~500+ lines of code. Most of the code is illustrative pseudocode-style JavaScript with placeholder methods (e.g., `this.generateSecureRandom()`, `this.curve.multiply()`) that aren't executable. Claude already understands cryptographic concepts, attack types, and key management patterns—this explains rather than instructs. | 1 / 3 |
Actionability | Despite the volume of code, none of it is executable. Classes reference undefined dependencies (EllipticCurve, BehaviorAnalyzer, ReputationSystem, etc.), methods call unimplemented functions, and there are no concrete commands, installation steps, or real library references. This is architectural pseudocode dressed as implementation. | 1 / 3 |
Workflow Clarity | Some multi-step processes are sequenced (e.g., DKG phases 1-6, key rotation steps), but there are no validation checkpoints, no error recovery feedback loops, and no verification steps between phases. For security-critical operations involving cryptographic key management, the absence of explicit validation gates is a significant gap. | 2 / 3 |
Progressive Disclosure | The entire skill is a monolithic wall of code with no references to external files, no layered structure, and no separation between overview and detailed content. Everything is inline with no navigation aids or cross-references to supplementary materials. | 1 / 3 |
Total | 5 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (627 lines); consider splitting into references/ and linking | Warning |
Total | 10 / 11 Passed | |
- Repository
- ruvnet/claude-flow
- Commit
0d9f9b1
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.