agent-v3-security-architect
Agent skill for v3-security-architect - invoke with $agent-v3-security-architect
39
7%
Does it follow best practices?
Impact
93%
1.36xAverage score across 3 eval scenarios
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./.agents/skills/agent-v3-security-architect/SKILL.mdQuality
Discovery
0%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an extremely poor skill description that provides virtually no useful information. It fails on every dimension—it describes no capabilities, includes no trigger terms, answers neither 'what' nor 'when', and offers nothing to distinguish it from other skills. It reads as a placeholder or auto-generated stub rather than a functional description.
Suggestions
Add concrete actions describing what the skill does, e.g., 'Performs security architecture reviews, identifies vulnerabilities, designs threat models, and recommends security controls for system designs.'
Add an explicit 'Use when...' clause with natural trigger terms, e.g., 'Use when the user asks about security architecture, threat modeling, security reviews, vulnerability assessment, or designing secure systems.'
Remove the invocation command from the description (it's not useful for skill selection) and replace it with domain-specific keywords users would naturally use.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description contains no concrete actions whatsoever. It only states it's an 'agent skill' with an invocation command, providing zero information about what the skill actually does. | 1 / 3 |
Completeness | Neither 'what does this do' nor 'when should Claude use it' is answered. The description only provides an invocation command with no functional or contextual information. | 1 / 3 |
Trigger Term Quality | The only potentially relevant term is 'security-architect' embedded in the agent name, but there are no natural keywords a user would say. No terms like 'security review', 'threat model', 'vulnerability', or 'architecture' are present. | 1 / 3 |
Distinctiveness Conflict Risk | The description is so vague that it provides no distinguishing characteristics. The only hint of a niche is the name 'security-architect', but without any elaboration, it could conflict with any security-related skill. | 1 / 3 |
Total | 4 / 12 Passed |
Implementation
14%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads as a project management plan rather than an actionable skill for Claude. It is excessively verbose, explaining well-known security concepts and including organizational details (timelines, team coordination, success metrics) that don't help Claude execute tasks. The few concrete code examples are useful but buried in a wall of planning text, and critical security operations lack any validation workflows or feedback loops.
Suggestions
Remove project management content (timelines, coordination sections, success metrics) and focus on concrete, executable remediation steps with validation checkpoints for each CVE fix.
Add explicit step-by-step workflows with validation gates, e.g., 'After updating bcrypt: 1. Run tests, 2. Verify hash format, 3. Check backward compatibility' — especially critical for security operations.
Split detailed patterns into separate referenced files (e.g., SECURE-PATTERNS.md, THREAT-MODEL-TEMPLATE.md) and keep SKILL.md as a concise overview with clear navigation links.
Remove explanations of concepts Claude already knows (what path traversal is, what command injection is, what RBAC means) and replace with terse, actionable fix patterns.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose with significant padding. Explains concepts Claude already knows (what path traversal is, what command injection is, what RBAC is). The ASCII diagram adds little value. Coordination sections, success metrics, and timeline details are project management artifacts, not actionable skill instructions. Much of this reads like a project plan rather than a skill teaching Claude how to do something. | 1 / 3 |
Actionability | The code examples for path sanitization, input validation, and command execution are concrete and executable TypeScript. However, the skill overall is more of a project plan/checklist than actionable guidance. It describes what needs to be done but doesn't provide complete, copy-paste-ready remediation code or specific commands for executing the security overhaul. The CVE fixes list actions but not full implementations. | 2 / 3 |
Workflow Clarity | Despite involving destructive/critical security operations (dependency updates, auth changes, credential generation), there are no validation checkpoints, no feedback loops, and no clear step-by-step sequence for executing the security overhaul. The checklist format lists deliverables but doesn't sequence the actual work with verification steps. Missing validation is especially problematic for security-critical operations. | 1 / 3 |
Progressive Disclosure | Monolithic wall of text with no bundle files to support it. References deliverable documents (SECURITY-ARCHITECTURE.md, CVE-REMEDIATION-PLAN.md, etc.) but these are outputs to create, not existing references to navigate to. No structure separating overview from detailed content. Everything is inline in one large document with no clear navigation hierarchy. | 1 / 3 |
Total | 5 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- ruvnet/ruflo
- Commit
619b263
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.