pt-analysis-reporting
Produces penetration test reports with executive summary, technical findings, and remediation guidance. Use when consolidating test evidence, prioritizing risk, and preparing stakeholder-ready deliverables.
77
67%
Does it follow best practices?
Impact
89%
1.20xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/pt-analysis-reporting/SKILL.mdQuality
Discovery
85%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted description that clearly defines both the skill's purpose and when to use it. It lists specific deliverables and activities, and occupies a distinct niche. The main weakness is that it could include more natural trigger term variations (e.g., 'pentest', 'vulnerability report', 'security assessment') to improve discoverability.
Suggestions
Add common synonyms and abbreviations users might use, such as 'pentest', 'pen test', 'vulnerability report', 'security assessment report', or 'infosec findings'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'executive summary, technical findings, and remediation guidance' as well as 'consolidating test evidence, prioritizing risk, and preparing stakeholder-ready deliverables.' These are concrete, well-defined outputs and activities. | 3 / 3 |
Completeness | Clearly answers both 'what' (produces penetration test reports with executive summary, technical findings, remediation guidance) and 'when' (use when consolidating test evidence, prioritizing risk, preparing stakeholder-ready deliverables) with an explicit 'Use when...' clause. | 3 / 3 |
Trigger Term Quality | Includes relevant terms like 'penetration test reports', 'executive summary', 'remediation guidance', 'risk', and 'stakeholder-ready deliverables', but misses common user variations such as 'pentest', 'pen test', 'vulnerability report', 'security assessment', or 'findings report' that users would naturally say. | 2 / 3 |
Distinctiveness Conflict Risk | The description carves out a clear niche around penetration testing reports specifically, with distinct triggers like 'test evidence', 'remediation guidance', and 'stakeholder-ready deliverables' that are unlikely to conflict with general reporting or security analysis skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a solid structural framework for pen test reporting with a clear workflow and usable template. However, it lacks concrete examples (e.g., a filled-in sample finding), specific frameworks for severity rating, and explicit feedback loops in the workflow. The content sits at an instructional level that Claude could largely generate on its own without this skill.
Suggestions
Add a concrete, filled-in example finding (with realistic severity, evidence, reproduction steps, and remediation) to make the template actionable rather than just structural.
Specify a severity rating framework (e.g., CVSS scoring or a custom risk matrix) rather than leaving 'Severity:' as an empty placeholder.
Add explicit feedback loops to the workflow, e.g., 'If QA reveals unsupported claims, return to step 3 to gather additional evidence or revise the finding.'
Extract the report template into a separate referenced file (e.g., TEMPLATE.md) to improve progressive disclosure and keep the main skill focused on workflow guidance.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is reasonably efficient but includes some unnecessary framing (e.g., 'Objectives' section restates what Claude would already understand about pen test reporting). The template and workflow are useful but could be tighter. | 2 / 3 |
Actionability | Provides a structured template and workflow steps, which is helpful, but guidance remains at the level of general instructions rather than concrete, executable examples. No sample filled-in findings, no specific severity rating frameworks (e.g., CVSS), and remediation guidance is generic placeholder text rather than illustrative examples. | 2 / 3 |
Workflow Clarity | The 5-step workflow is clearly sequenced and includes a final QA step, but validation checkpoints are only at the end rather than integrated throughout. There's no explicit feedback loop (e.g., if QA fails, go back to step X), and the QA step itself is vague ('validate evidence links' without specifying how). | 2 / 3 |
Progressive Disclosure | Content is reasonably organized with clear sections (Workflow, Template, Quality Checks), but everything is inline in a single file. The template section is lengthy and could be referenced as a separate file. No references to supplementary materials for methodology details, severity frameworks, or example reports. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- santosomar/ethical-hacking-agent-skills
- Commit
9976e81
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.