agent-security-manager
Agent skill for security-manager - invoke with $agent-security-manager
31
0%
Does it follow best practices?
Impact
82%
1.54xAverage score across 3 eval scenarios
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./.agents/skills/agent-security-manager/SKILL.mdQuality
Discovery
0%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an extremely weak description that fails on every dimension. It provides no information about what the skill does, when to use it, or what domain it covers—only a tool name and invocation syntax. It would be nearly impossible for Claude to correctly select this skill from a pool of available options.
Suggestions
Add concrete actions describing what the skill does, e.g., 'Scans code for security vulnerabilities, manages access permissions, audits authentication configurations.'
Add an explicit 'Use when...' clause with natural trigger terms, e.g., 'Use when the user asks about security vulnerabilities, access control, authentication, permissions, or security audits.'
Remove the invocation syntax ('invoke with $agent-security-manager') from the description and replace it with functional information that helps Claude decide when to select this skill.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description provides no concrete actions whatsoever. 'Agent skill for security-manager' is entirely vague and does not describe what the skill actually does. | 1 / 3 |
Completeness | Neither 'what does this do' nor 'when should Claude use it' is answered. The description only states it's an agent skill and how to invoke it, providing no functional or contextual information. | 1 / 3 |
Trigger Term Quality | The only keyword is 'security-manager', which is a tool name rather than a natural term a user would say. There are no natural language trigger terms like 'vulnerability', 'security audit', 'permissions', etc. | 1 / 3 |
Distinctiveness Conflict Risk | The description is so generic that 'security-manager' could overlap with any security-related skill. There are no distinct triggers or specific capabilities to differentiate it. | 1 / 3 |
Total | 4 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is a massive, non-executable design document masquerading as an actionable skill. It contains hundreds of lines of illustrative JavaScript classes that reference undefined dependencies and cannot be run. It provides no concrete workflow, no validation steps, no real commands, and wastes enormous token budget on conceptual code that Claude could generate on its own if given concise, specific instructions.
Suggestions
Replace the illustrative class implementations with a concise overview of security responsibilities and specific, executable commands or code snippets that Claude can actually use (e.g., real library calls, CLI tools, concrete configuration).
Add a clear multi-step workflow with explicit validation checkpoints, e.g., '1. Generate keys using X, 2. Validate key shares by running Y, 3. If validation fails, do Z'.
Split detailed reference material (attack detection patterns, cryptographic implementations) into separate bundle files and reference them from a concise SKILL.md overview.
Remove explanatory code that Claude can generate itself and focus on project-specific conventions, tool configurations, and constraints that Claude wouldn't otherwise know.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at ~500+ lines of code. Most of the content is illustrative class implementations that Claude already understands conceptually. The code is not executable (references undefined classes like EllipticCurve, BehaviorAnalyzer, etc.) and reads more like a design document than actionable instructions. Massive token waste. | 1 / 3 |
Actionability | Despite the volume of code, none of it is executable — it references numerous undefined classes (EncryptedKeyStore, BehaviorAnalyzer, ReputationSystem, etc.), uses pseudocode-level abstractions, and provides no concrete commands or real library imports. There are no actual steps Claude can follow to implement security for a real system. | 1 / 3 |
Workflow Clarity | There is no clear workflow or sequence of steps for Claude to follow. The content is organized as a collection of class definitions without any guidance on when to use them, in what order, or how to validate results. No validation checkpoints or error recovery flows are defined despite dealing with security-critical operations. | 1 / 3 |
Progressive Disclosure | Monolithic wall of code with no references to external files and no bundle files to support it. All content is inlined in a single massive document with no navigation aids, no summary/overview section that points to details elsewhere, and no logical separation of concerns across files. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (627 lines); consider splitting into references/ and linking | Warning |
Total | 10 / 11 Passed | |
- Repository
- ruvnet/claude-flow
- Commit
e6dc21f
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.