agent-v3-security-architect
Agent skill for v3-security-architect - invoke with $agent-v3-security-architect
41
11%
Does it follow best practices?
Impact
93%
1.36xAverage score across 3 eval scenarios
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./.agents/skills/agent-v3-security-architect/SKILL.mdQuality
Discovery
0%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an extremely weak description that provides virtually no useful information. It fails on every dimension: it describes no capabilities, includes no trigger terms, answers neither 'what' nor 'when', and offers no distinguishing characteristics. It is essentially just an invocation instruction with no functional description.
Suggestions
Add concrete actions describing what the security architect skill does, e.g., 'Performs threat modeling, reviews security architectures, identifies vulnerabilities in system designs, and recommends security controls.'
Add an explicit 'Use when...' clause with natural trigger terms, e.g., 'Use when the user asks about security architecture, threat modeling, security reviews, attack surface analysis, or security design patterns.'
Remove the invocation instruction from the description (it belongs elsewhere) and replace it with substantive content that helps Claude distinguish this skill from other potentially security-related skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description contains no concrete actions whatsoever. It only states it is an 'agent skill' with an invocation command, providing no information about what the skill actually does. | 1 / 3 |
Completeness | Neither 'what does this do' nor 'when should Claude use it' is answered. The description only provides an invocation command with no functional or contextual information. | 1 / 3 |
Trigger Term Quality | The only potentially relevant term is 'security-architect' embedded in the agent name, but there are no natural keywords a user would say. No terms like 'security review', 'threat model', 'vulnerability', or 'architecture' are present. | 1 / 3 |
Distinctiveness Conflict Risk | The description is so vague that Claude would have no basis to distinguish this skill from others. The embedded term 'security-architect' in the agent name provides minimal differentiation but is not described in any meaningful way. | 1 / 3 |
Total | 4 / 12 Passed |
Implementation
22%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads more like a project charter or planning document than an actionable skill for Claude. It contains useful security code patterns but buries them in verbose project management content (timelines, team coordination, success metrics) that doesn't help Claude execute tasks. The lack of a clear workflow with validation steps is particularly problematic for security-critical operations.
Suggestions
Remove project management content (timelines, phase labels, team coordination, success metrics) and focus on concrete step-by-step instructions Claude should follow when performing security work.
Add a clear sequential workflow with explicit validation checkpoints, e.g.: 1. Run npm audit, 2. Fix each CVE with specific commands, 3. Validate fixes, 4. Re-run audit to confirm 0 vulnerabilities.
Expand the code examples for CVE fixes to be complete and copy-paste ready (e.g., full bcrypt implementation replacing SHA-256, complete credential generation script) rather than just describing what should change.
Remove the ASCII threat model diagram and descriptive security boundaries section—replace with a concise checklist of security checks Claude should perform when reviewing or writing code.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose with significant padding. Explains obvious concepts, includes project management details (timelines, phases, team coordination) that are not actionable instructions. The ASCII diagram, success metrics, and coordination sections add bulk without teaching Claude how to do anything specific. Much of this reads like a project plan rather than a skill. | 1 / 3 |
Actionability | The secure patterns catalog provides some concrete, executable TypeScript examples (path sanitization, input validation, command execution), which is valuable. However, the CVE fixes are described at a high level ('implement bcrypt with 12 rounds') without complete implementation code, and much of the content is descriptive checklists rather than executable guidance. | 2 / 3 |
Workflow Clarity | There is no clear sequential workflow with validation checkpoints. The content lists deliverables and timelines but never defines a step-by-step process for actually performing the security overhaul. For destructive/security-critical operations like dependency updates and credential changes, the absence of validation steps and feedback loops is a significant gap. | 1 / 3 |
Progressive Disclosure | The content references deliverable documents (SECURITY-ARCHITECTURE.md, THREAT-MODEL.md, etc.) but these are outputs to create, not existing references to navigate to. The content itself is a monolithic document that mixes high-level architecture, specific code patterns, project management, and team coordination without clear separation or navigation aids. No bundle files support it. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- ruvnet/claude-flow
- Commit
2b9e2de
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.