agent-v3-security-architect

Agent skill for v3-security-architect - invoke with $agent-v3-security-architect

1.36x

Quality

Does it follow best practices?

Impact

93%

1.36x

Average score across 3 eval scenarios

Securityby

Advisory

Suggest reviewing before use

Optimize this skill with Tessl

npx tessl skill review --optimize ./.agents/skills/agent-v3-security-architect/SKILL.md

Quality

Content

14%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This skill reads more like a project management document or role description than an actionable skill for Claude. It is excessively verbose with team coordination details, timeline information, and success metrics that don't help Claude execute security tasks. While it contains a few useful concrete code patterns (path sanitization, safe command execution), the majority of content lacks clear workflows, validation steps, and the concise instructional format needed for an effective skill.

Suggestions

Remove project management content (timelines, team coordination, success metrics, phase planning) and focus on concrete step-by-step instructions Claude should follow when performing security work.

Add a clear sequential workflow with validation checkpoints, e.g.: 1. Run npm audit, 2. Fix critical CVEs, 3. Validate fixes, 4. Run security tests — with explicit commands at each step.

Provide complete executable code for each CVE fix (e.g., the actual bcrypt implementation, the actual credential generation code) rather than just describing what should be done.

Split detailed security patterns into a referenced SECURE-PATTERNS.md file and keep SKILL.md as a concise overview with clear navigation to supporting documents.

Dimension	Reasoning	Score
Conciseness	Extremely verbose with extensive project management content (timelines, phases, coordination sections, success metrics) that doesn't teach Claude how to perform a specific task. The threat model ASCII diagram, team coordination details, and checklist-style deliverables are padding that Claude doesn't need. Much of this reads like a project plan rather than an actionable skill.	1 / 3
Actionability	The code examples for path sanitization, input validation, and command execution are concrete and executable TypeScript. However, the skill overall describes what should be done rather than instructing how to do it — it lists CVEs with vague 'Action' items like 'Implement bcrypt with 12 rounds' without showing the actual implementation code, and many sections are descriptive checklists rather than executable guidance.	2 / 3
Workflow Clarity	There is no clear sequential workflow for performing the security overhaul. The content lists priorities and deliverables but doesn't define a step-by-step process with validation checkpoints. For destructive/security-critical operations like dependency updates and credential changes, the absence of verification steps and feedback loops is a significant gap.	1 / 3
Progressive Disclosure	The content is a monolithic wall of text with no bundle files to reference. It mentions deliverable documents (SECURITY-ARCHITECTURE.md, THREAT-MODEL.md, etc.) but these are outputs to create, not references to existing content. The skill tries to cover everything inline — threat modeling, CVE details, patterns, coordination, metrics — without any structural organization into separate files.	1 / 3
	Total	5 / 12 Passed

Description

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is an extremely weak description that provides virtually no useful information for skill selection. It contains only an invocation command and a generic label, with no actions, triggers, or context. Claude would be unable to determine when to use this skill over any other.

Suggestions

Add concrete actions describing what the skill does, e.g., 'Performs security architecture reviews, threat modeling, and identifies vulnerabilities in system designs.'

Add an explicit 'Use when...' clause with natural trigger terms, e.g., 'Use when the user asks about security architecture, threat models, attack surfaces, security design patterns, or vulnerability assessments.'

Remove the invocation command from the description (it's operational metadata, not descriptive) and replace with functional content that distinguishes this from other security-related skills.

Dimension	Reasoning	Score
Specificity	The description contains no concrete actions whatsoever. It only states it is an 'agent skill' with an invocation command, providing zero information about what the skill actually does.	1 / 3
Completeness	Neither 'what does this do' nor 'when should Claude use it' is answered. The description only provides an invocation command with no functional or contextual information.	1 / 3
Trigger Term Quality	The only potentially relevant term is 'security-architect' embedded in the agent name, but there are no natural keywords a user would say. No terms like 'security review', 'threat model', 'vulnerability', or 'architecture' are present.	1 / 3
Distinctiveness Conflict Risk	The description is so vague that Claude would have no basis to distinguish this skill from others. The only hint is 'security-architect' in the name, but without any elaboration, it could conflict with any security-related skill.	1 / 3
	Total	4 / 12 Passed

Validation

100%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 11 / 11 Passed

Validation for skill structure

No warnings or errors.

Repository: ruvnet/ruflo
Commit: 28c81c0

Reviewed: about 19 hours ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.