agent-v3-security-architect
Agent skill for v3-security-architect - invoke with $agent-v3-security-architect
41
11%
Does it follow best practices?
Impact
93%
1.36xAverage score across 3 eval scenarios
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./.agents/skills/agent-v3-security-architect/SKILL.mdQuality
Discovery
0%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an extremely weak description that provides virtually no useful information for skill selection. It contains only an invocation command and a generic label, with no actions, triggers, or context. Claude would have no basis for selecting this skill appropriately from a pool of available skills.
Suggestions
Add concrete actions describing what the skill does, e.g., 'Performs security architecture reviews, identifies vulnerabilities, designs threat models, and recommends security controls for system designs.'
Add an explicit 'Use when...' clause with natural trigger terms, e.g., 'Use when the user asks about security architecture, threat modeling, security review, vulnerability assessment, or secure system design.'
Remove the invocation command from the description (it's operational metadata, not descriptive) and replace with domain-specific keywords users would naturally use.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description contains no concrete actions whatsoever. It only states it is an 'agent skill' with an invocation command, providing no information about what the skill actually does. | 1 / 3 |
Completeness | Neither 'what does this do' nor 'when should Claude use it' is answered. The description only provides an invocation command with no functional or contextual information. | 1 / 3 |
Trigger Term Quality | The only potentially relevant term is 'security-architect' embedded in the agent name, but there are no natural keywords a user would say. No terms like 'security review', 'threat model', 'vulnerability', or 'architecture' are present. | 1 / 3 |
Distinctiveness Conflict Risk | The description is so vague that it provides no distinguishing characteristics. The embedded term 'security-architect' hints at a domain but without any elaboration, it could conflict with any security-related skill. | 1 / 3 |
Total | 4 / 12 Passed |
Implementation
22%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads more like a project plan or requirements document than an actionable skill for Claude. While it contains some useful concrete code patterns (path sanitization, safe command execution), the majority of content is project management overhead (timelines, coordination notes, success metrics, checklists) that doesn't help Claude execute tasks. Critical security operations lack validation workflows and feedback loops.
Suggestions
Replace project management content (timelines, phases, coordination sections, success metrics) with concrete step-by-step implementation workflows that include validation checkpoints (e.g., 'After updating bcrypt, run `npm test -- --grep security` to verify').
Add explicit validation/verification steps for each CVE fix—e.g., 'Run `npm audit` after dependency update and confirm 0 critical vulnerabilities before proceeding'.
Remove descriptive sections Claude already understands (what RBAC is, what threat model domains are) and replace the ASCII diagram with actionable security boundary enforcement code.
Split the secure patterns catalog into a separate SECURE-PATTERNS.md reference file and keep SKILL.md focused on the workflow for triaging and fixing security issues.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is verbose and padded with project management content (timelines, phases, coordination sections, success metrics) that doesn't provide actionable guidance. It explains concepts Claude already knows (what threat models are, what RBAC is) and includes decorative ASCII diagrams that add no value. | 1 / 3 |
Actionability | The code examples for path sanitization, input validation, and command execution are concrete and executable TypeScript. However, much of the content is descriptive checklists and planning documents rather than executable instructions—it tells Claude what deliverables to produce but not exactly how to implement the fixes in the actual codebase. | 2 / 3 |
Workflow Clarity | Despite dealing with security-critical and potentially destructive operations (dependency updates, auth changes, credential generation), there are no validation checkpoints, no feedback loops, and no clear step-by-step sequence. The phases and timelines are project management artifacts, not actionable workflows with verification steps. | 1 / 3 |
Progressive Disclosure | The content is organized with clear headers and sections, and references deliverable documents (SECURITY-ARCHITECTURE.md, THREAT-MODEL.md, etc.). However, all content is inline in one monolithic file with no actual links to separate reference files, and the document is quite long with content that could be split out. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- ruvnet/ruflo
- Commit
0f7c750
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.