ai-tool-compliance
Automation skill for designing, verifying, and improving auth, cost, logging, and security compliance based on the internal AI tool mandatory implementation guide (P0/P1). Supports the full lifecycle of RBAC design, Gateway principles, Firestore policy, behavior logs, cost transparency, and the criteria verification system.
65
47%
Does it follow best practices?
Impact
100%
2.27xAverage score across 3 eval scenarios
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./.agent-skills/ai-tool-compliance/SKILL.mdQuality
Discovery
32%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description covers a specialized compliance automation domain with some specific technical components, but suffers from vague action verbs and complete absence of trigger guidance. The internal jargon (P0/P1, Gateway principles) may help distinctiveness but hurts discoverability for users who don't know these terms.
Suggestions
Add an explicit 'Use when...' clause with natural trigger phrases like 'when setting up RBAC permissions', 'when auditing security compliance', 'when configuring Firestore rules'
Replace vague verbs ('designing, verifying, improving') with concrete actions like 'generates RBAC role matrices', 'validates P0/P1 checklist items', 'creates Firestore security rules'
Include user-facing synonyms alongside internal terms, e.g., 'security compliance (P0/P1 requirements)', 'access control (RBAC)' to improve trigger term coverage
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names domain (auth, cost, logging, security compliance) and mentions several components (RBAC design, Gateway principles, Firestore policy), but actions are vague ('designing, verifying, improving') rather than concrete specific operations. | 2 / 3 |
Completeness | Describes what it does (designing/verifying compliance) but completely lacks a 'Use when...' clause or any explicit trigger guidance. No indication of when Claude should select this skill over others. | 1 / 3 |
Trigger Term Quality | Includes some relevant technical terms (RBAC, Firestore, Gateway, P0/P1) but these are internal jargon. Missing natural user phrases like 'set up permissions', 'check security', 'audit compliance'. Users unlikely to say 'mandatory implementation guide'. | 2 / 3 |
Distinctiveness Conflict Risk | References specific internal concepts (P0/P1 guide, Gateway principles) which adds some distinctiveness, but broad terms like 'auth', 'security compliance', 'logging' could overlap with other security or infrastructure skills. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
62%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides exceptionally actionable and well-structured compliance automation guidance with clear workflows and validation checkpoints. However, it suffers from severe verbosity—the content could be reduced by 60-70% without losing functionality. The monolithic structure with inline schemas and repeated tables undermines progressive disclosure.
Suggestions
Extract the P0 Rule Catalog table, YAML schemas (log-schema, cost-tracking, rbac-matrix), and Role-based Go/No-Go Checkpoints into separate reference files, leaving only summaries in SKILL.md
Remove redundant explanations—the verification flow appears in at least 3 different formats (prose, pseudocode, table); consolidate to one
Delete explanatory content Claude already knows (e.g., what Firestore is, how grep patterns work, basic RBAC concepts)
Consolidate the Quick Reference table and '3 Execution Modes' section—they duplicate the same information
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at ~1000+ lines with extensive repetition. Tables, flows, and schemas are duplicated across sections. Much content explains concepts Claude already knows (what RBAC is, how grep works, basic Firebase patterns). The P0 rule catalog appears in multiple formats unnecessarily. | 1 / 3 |
Actionability | Highly actionable with concrete slash commands, executable bash scripts, complete TypeScript code examples, specific grep patterns, and copy-paste ready YAML schemas. The Gateway pattern example and verification scripts are fully executable. | 3 / 3 |
Workflow Clarity | Excellent workflow clarity with explicit multi-step processes, validation checkpoints, and feedback loops. The Improve Mode Auto-Fix Logic, Gate Execution Flow, and verification scenarios all include clear sequencing with re-verification steps after fixes. | 3 / 3 |
Progressive Disclosure | References external files (REFERENCE.md, p0-catalog.yaml) appropriately, but the main SKILL.md is monolithic with too much inline content. The 20+ checkpoint items, full YAML schemas, and detailed rule catalogs should be in separate reference files rather than embedded. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (897 lines); consider splitting into references/ and linking | Warning |
Total | 10 / 11 Passed | |
- Repository
- supercent-io/skills-template
- Commit
c033769
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.