agent-v3-security-architect
Agent skill for v3-security-architect - invoke with $agent-v3-security-architect
41
11%
Does it follow best practices?
Impact
93%
1.36xAverage score across 3 eval scenarios
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./.agents/skills/agent-v3-security-architect/SKILL.mdQuality
Discovery
0%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an extremely weak description that provides virtually no useful information for skill selection. It contains only an invocation command and a generic label, with no actions, triggers, or context. Claude would have no basis for selecting this skill appropriately from a pool of available skills.
Suggestions
Add concrete actions describing what the skill does, e.g., 'Performs security architecture reviews, designs threat models, evaluates system security posture, and recommends security controls.'
Add an explicit 'Use when...' clause with natural trigger terms, e.g., 'Use when the user asks about threat modeling, security architecture, security design review, attack surface analysis, or security controls.'
Remove the invocation command from the description (it's operational metadata, not descriptive) and replace with domain-specific keywords users would naturally use.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description contains no concrete actions whatsoever. It only states it is an 'agent skill' with an invocation command, providing no information about what the skill actually does. | 1 / 3 |
Completeness | Neither 'what does this do' nor 'when should Claude use it' is answered. The description only provides an invocation command with no functional or contextual information. | 1 / 3 |
Trigger Term Quality | The only potentially relevant term is 'security-architect' embedded in the agent name, but there are no natural keywords a user would say. No terms like 'security review', 'threat model', 'vulnerability', or 'architecture' are present. | 1 / 3 |
Distinctiveness Conflict Risk | The description is so vague that it provides no distinguishing characteristics. The only hint of a niche is the name 'security-architect', but without any elaboration, it could conflict with any security-related skill. | 1 / 3 |
Total | 4 / 12 Passed |
Implementation
22%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads more like a project charter or planning document than an actionable skill for Claude. While it contains some useful concrete code patterns (path sanitization, command execution safety), the majority of content is project management overhead (timelines, coordination notes, success metrics, checklists) that doesn't help Claude execute security tasks. The lack of a clear workflow with validation steps is a critical gap for security-sensitive operations.
Suggestions
Replace the project management content (timelines, coordination sections, success metrics) with a clear step-by-step workflow: e.g., 1. Run npm audit, 2. Fix each CVE with specific commands, 3. Validate fixes, 4. Re-audit.
Add explicit validation checkpoints after each security fix (e.g., 'Run npm audit after dependency update to confirm 0 critical vulnerabilities', 'Test bcrypt implementation with known test vectors').
Provide complete, executable code for each CVE fix rather than high-level descriptions like 'Implement bcrypt with 12 rounds' — show the full before/after code transformation.
Remove the threat model ASCII diagram, security boundary descriptions, and coordination sections — these don't add actionable value and consume significant token budget.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is verbose and padded with project management details (timelines, checklists, coordination sections, success metrics) that don't provide actionable guidance. Much of it reads like a project plan rather than a skill instruction. The threat model ASCII diagram and security boundary descriptions explain concepts Claude already understands. | 1 / 3 |
Actionability | The code examples for path sanitization, input validation, and command execution are concrete and executable TypeScript. However, the CVE fixes are described at a high level ('Implement bcrypt with 12 rounds') without complete implementation code, and the overall skill reads more like a planning document than executable instructions. | 2 / 3 |
Workflow Clarity | There is no clear step-by-step workflow for how to actually perform the security overhaul. The content lists deliverables and timelines but lacks sequenced steps with validation checkpoints. For destructive/security-critical operations like dependency updates and credential changes, the absence of verification steps is a significant gap. | 1 / 3 |
Progressive Disclosure | The content references deliverable documents (SECURITY-ARCHITECTURE.md, CVE-REMEDIATION-PLAN.md, etc.) but these are outputs to create, not existing references to consult. The content itself is a long monolithic document that could benefit from splitting detailed patterns into separate files with clear navigation. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- ruvnet/ruflo
- Commit
398f7c2
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.