agent-security-manager
Agent skill for security-manager - invoke with $agent-security-manager
35
6%
Does it follow best practices?
Impact
82%
1.54xAverage score across 3 eval scenarios
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./.agents/skills/agent-security-manager/SKILL.mdQuality
Discovery
0%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an extremely weak description that provides virtually no useful information for skill selection. It only names the skill and its invocation command without describing any capabilities, use cases, or trigger conditions. It fails on every dimension of the rubric.
Suggestions
Add specific concrete actions the skill performs, e.g., 'Scans code for vulnerabilities, manages access permissions, audits security configurations, reviews dependency risks.'
Add an explicit 'Use when...' clause with natural trigger terms, e.g., 'Use when the user asks about security vulnerabilities, access control, permission management, security audits, or CVE analysis.'
Remove the invocation instruction ('invoke with $agent-security-manager') from the description and replace it with functional details that help Claude distinguish this skill from others.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description contains no concrete actions whatsoever. 'Agent skill for security-manager' is entirely vague and does not describe what the skill actually does. | 1 / 3 |
Completeness | Neither 'what does this do' nor 'when should Claude use it' is answered. The description only states it's an agent skill and how to invoke it, providing no functional or contextual information. | 1 / 3 |
Trigger Term Quality | The only keyword is 'security-manager', which is a tool name rather than a natural term a user would say. There are no natural language trigger terms like 'vulnerability', 'security audit', 'permissions', etc. | 1 / 3 |
Distinctiveness Conflict Risk | The description is so generic that 'security-manager' could overlap with any security-related skill. There are no distinct triggers or specific capabilities to differentiate it. | 1 / 3 |
Total | 4 / 12 Passed |
Implementation
12%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is an extremely verbose, non-executable architectural sketch of a consensus security system. It explains concepts Claude already knows (cryptographic primitives, attack types, key management) through hundreds of lines of pseudocode that references undefined classes and methods. It provides no actionable guidance—no real libraries, no installation commands, no executable examples—and lacks the structure, validation checkpoints, and progressive disclosure expected of a quality skill.
Suggestions
Replace illustrative pseudocode with executable code using real libraries (e.g., `@noble/secp256k1`, `node:crypto`) with concrete installation and usage instructions.
Reduce content by 80%+ by removing explanations of concepts Claude already knows (Byzantine attacks, Sybil attacks, ZKPs, threshold signatures) and focusing only on project-specific conventions or configurations.
Add explicit validation checkpoints and error recovery steps for security-critical workflows like key generation and rotation.
Split detailed implementations into separate reference files and keep SKILL.md as a concise overview with clear navigation links.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at ~500+ lines of code. Most of the code is illustrative pseudocode-style JavaScript with placeholder methods (e.g., `this.generateSecureRandom()`, `this.curve.multiply()`) that aren't executable. Claude already understands cryptographic concepts, attack types, and key management patterns—this explains rather than instructs. | 1 / 3 |
Actionability | Despite the volume of code, none of it is executable. Classes reference undefined dependencies (EllipticCurve, BehaviorAnalyzer, ReputationSystem, etc.), methods call unimplemented functions, and there are no concrete commands, installation steps, or real library references. This is architectural pseudocode dressed as implementation. | 1 / 3 |
Workflow Clarity | Some multi-step processes are sequenced (e.g., DKG phases 1-6, key rotation steps), but there are no validation checkpoints, no error recovery feedback loops, and no verification steps between phases. For security-critical operations involving cryptographic key management, the absence of explicit validation gates is a significant gap. | 2 / 3 |
Progressive Disclosure | The entire skill is a monolithic wall of code with no references to external files, no layered structure, and no separation between overview and detailed implementation. Everything is inline with no navigation aids or content splitting. | 1 / 3 |
Total | 5 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (627 lines); consider splitting into references/ and linking | Warning |
Total | 10 / 11 Passed | |
- Repository
- ruvnet/ruflo
- Commit
398f7c2
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.