agent-v3-security-architect
Agent skill for v3-security-architect - invoke with $agent-v3-security-architect
41
11%
Does it follow best practices?
Impact
93%
1.36xAverage score across 3 eval scenarios
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./.agents/skills/agent-v3-security-architect/SKILL.mdQuality
Discovery
0%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an extremely weak description that provides virtually no useful information for skill selection. It contains only an invocation command and a generic label, with no actions, triggers, or context. Claude would have no basis for choosing this skill appropriately from a set of available skills.
Suggestions
Add concrete actions describing what the skill does, e.g., 'Performs security architecture reviews, identifies threat vectors, designs secure system architectures, and evaluates compliance with security frameworks.'
Add an explicit 'Use when...' clause with natural trigger terms, e.g., 'Use when the user asks about security architecture, threat modeling, security design patterns, access control design, or system hardening.'
Remove the invocation command from the description (it's operational metadata, not descriptive) and replace with domain-specific keywords users would naturally use.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description contains no concrete actions whatsoever. It only states it is an 'agent skill' with an invocation command, providing no information about what the skill actually does. | 1 / 3 |
Completeness | Neither 'what does this do' nor 'when should Claude use it' is answered. The description only provides an invocation command with no functional or contextual information. | 1 / 3 |
Trigger Term Quality | The only potentially relevant term is 'security-architect' embedded in the agent name, but there are no natural keywords a user would say. No terms like 'security review', 'threat model', 'vulnerability', or 'architecture' are present. | 1 / 3 |
Distinctiveness Conflict Risk | The description is so vague that it provides no distinguishing characteristics. The embedded term 'security-architect' hints at a domain but without any elaboration, it could conflict with any security-related skill. | 1 / 3 |
Total | 4 / 12 Passed |
Implementation
22%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads more like a project management brief or security audit report than an actionable skill for Claude. While it contains some useful concrete code patterns (path sanitization, safe command execution), the majority of content is verbose project planning (timelines, phases, coordination, success metrics) that doesn't help Claude execute tasks. Critical weaknesses include the complete absence of validation workflows for security-critical operations and excessive explanatory content about well-known vulnerability types.
Suggestions
Remove all project management content (timelines, phases, coordination sections, success metrics) and focus on executable security patterns and remediation steps Claude should follow.
Add explicit validation workflows with checkpoints: e.g., after updating dependencies run `npm audit`, after changing auth code run specific test commands, with error recovery steps if validation fails.
Consolidate the secure patterns into a concise reference (remove explanations of what CVEs are) and move detailed pattern catalogs to a separate SECURE-PATTERNS.md file referenced from the main skill.
Replace vague remediation actions like 'Update to @anthropic-ai$claude-code@^2.0.31' with exact commands (e.g., `npm install @anthropic-ai/claude-code@^2.0.31`) and verification steps.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose with extensive project management content (timelines, phases, coordination sections, success metrics, checklists) that Claude doesn't need. It explains concepts Claude already knows (what path traversal is, what command injection is) and includes decorative ASCII diagrams and emoji that waste tokens without adding actionable value. | 1 / 3 |
Actionability | The code examples for secure patterns (Zod validation, path sanitization, execFile usage) are concrete and executable TypeScript. However, much of the skill is descriptive project management rather than executable guidance—file references use placeholder-like paths (api$auth-service.ts:580-588), and the actual remediation steps are vague ('Update to @anthropic-ai$claude-code@^2.0.31' without showing how). | 2 / 3 |
Workflow Clarity | Despite dealing with security-critical and potentially destructive operations (dependency updates, credential changes, auth service modifications), there are no validation checkpoints, no feedback loops, and no clear sequential workflow. The checklists are deliverable-oriented rather than step-by-step execution workflows. Missing validation steps for security-critical operations should cap this at 2, and the lack of any real workflow drops it to 1. | 1 / 3 |
Progressive Disclosure | The content references deliverable documents (SECURITY-ARCHITECTURE.md, THREAT-MODEL.md, etc.) which suggests some progressive disclosure intent, but these are listed as outputs to create rather than existing references to navigate to. The content itself is a monolithic document that mixes architecture overview, implementation patterns, project management, and coordination details all inline. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- ruvnet/claude-flow
- Commit
322b2ae
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.