agent-v3-security-architect
Agent skill for v3-security-architect - invoke with $agent-v3-security-architect
41
11%
Does it follow best practices?
Impact
93%
1.36xAverage score across 3 eval scenarios
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./.agents/skills/agent-v3-security-architect/SKILL.mdQuality
Discovery
0%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an extremely weak description that provides virtually no useful information for skill selection. It contains only an invocation command and a generic label, with no actions, triggers, or context. Claude would have no basis for selecting this skill appropriately from a pool of available skills.
Suggestions
Add concrete actions describing what the skill does, e.g., 'Performs security architecture reviews, identifies vulnerabilities, designs threat models, and recommends security controls for system designs.'
Add an explicit 'Use when...' clause with natural trigger terms, e.g., 'Use when the user asks about security architecture, threat modeling, security review, vulnerability assessment, or secure system design.'
Remove the invocation command from the description (it's operational metadata, not descriptive) and replace with domain-specific keywords users would naturally use.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description contains no concrete actions whatsoever. It only states it is an 'agent skill' with an invocation command, providing no information about what the skill actually does. | 1 / 3 |
Completeness | Neither 'what does this do' nor 'when should Claude use it' is answered. The description only provides an invocation command with no functional or contextual information. | 1 / 3 |
Trigger Term Quality | The only potentially relevant term is 'security-architect' embedded in the agent name, but there are no natural keywords a user would say. No terms like 'security review', 'threat model', 'vulnerability', or 'architecture' are present. | 1 / 3 |
Distinctiveness Conflict Risk | The description is so vague that it provides no distinguishing characteristics. The embedded term 'security-architect' hints at a domain but is insufficient to differentiate it from other security-related skills. | 1 / 3 |
Total | 4 / 12 Passed |
Implementation
22%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads more like a project planning document or RFC than an actionable skill for Claude. It is heavy on descriptive context (timelines, team coordination, success metrics) and light on executable step-by-step instructions. The few code examples are decent but are buried in verbose project management content that doesn't help Claude perform the actual security work.
Suggestions
Remove project management content (timelines, team coordination, success metrics) and focus on concrete step-by-step instructions Claude should follow when invoked — e.g., 'Run npm audit, then fix each CVE in this order with these exact code changes.'
Add explicit validation checkpoints: after each CVE fix, specify how to verify the fix worked (e.g., 'Run npm audit --json and confirm 0 critical vulnerabilities' or 'Run the bcrypt test suite').
Provide complete, executable code for each CVE fix rather than just describing the action (e.g., show the full bcrypt implementation, not just 'Implement bcrypt with 12 rounds').
Restructure as a workflow: define a clear sequence of steps Claude should execute, with decision points and error recovery, rather than a flat list of issues and deliverables.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose with significant padding. Explains concepts Claude already knows (what path traversal is, what command injection is), includes project management details (timelines, phase planning, team coordination) that aren't actionable instructions, and the ASCII diagram adds little value. The hooks section in the frontmatter is also bloated with echo statements. | 1 / 3 |
Actionability | The code examples for path sanitization, input validation, and command execution are concrete and executable TypeScript. However, much of the content is descriptive rather than instructive — it lists issues and actions at a high level ('Implement bcrypt with 12 rounds') without providing the actual implementation code. The deliverables are checklists, not executable guidance. | 2 / 3 |
Workflow Clarity | There is no clear sequential workflow for actually performing the security overhaul. The content lists priorities and deliverables but doesn't define a step-by-step process with validation checkpoints. For security-critical operations (CVE remediation, dependency updates), there are no feedback loops or verification steps — just checkboxes. | 1 / 3 |
Progressive Disclosure | The content references several deliverable documents (SECURITY-ARCHITECTURE.md, CVE-REMEDIATION-PLAN.md, etc.) but these are outputs to create, not existing references to navigate to. The content itself is a monolithic document that mixes architecture overview, code patterns, project management, and team coordination without clear separation or navigation to supporting files. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- ruvnet/claude-flow
- Commit
9d4a9ea
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.