Feedback on your senior-security skill

[RichardHightower]

I was curious about the security-focused angle here, but the fundamentals seem to be missing some depth—let me walk through what I'm seeing at a 40/100 grade and where we could strengthen this.

Links:

• GitHub
• Your agentic skill in the SkillzWave marketplace

The TL;DR

You're at 40/100, landing in F territory. This is based on Anthropic's best practices for agentic skills. Your strongest area is Spec Compliance (12/15)—the frontmatter and naming conventions are solid. The killer is Utility (4/20)—the skill promises a lot but doesn't deliver actual security functionality.

What's Working Well

• Clean metadata structure – Your YAML frontmatter is valid and the skill name follows hyphen-case conventions correctly
• Solid trigger phrases – The description nails discoverability with specific keywords: "penetration tests", "security audits", "cryptography implementation"
• Good spec alignment – You're following the skill format requirements properly; the problem is what's inside

The Big One: Empty Reference and Script Files

This is your main blocker. All three reference files (security_architecture_patterns.md, penetration_testing_guide.md, cryptography_implementation.md) are identical generic templates with placeholder text like "Pattern 1: Best Practice Implementation" and "Detailed explanation of the pattern." Same story with your Python scripts—they're all identical templates where analyze() just returns empty results.

You're promising "Complete toolkit for senior security" but delivering boilerplate. Replace those references with actual security patterns: OAuth 2.0 validation, STRIDE threat modeling, OWASP Top 10 mitigations, AES-256-GCM encryption, SQL injection prevention. The scripts should implement real security scanning—threat modeling analysis, secret detection, vulnerability testing. This alone could net you +15 points.

Other Things Worth Fixing

1. Tech stack mismatch – Lists React, Next.js, Flutter but nothing security-specific. Swap in Burp Suite, OWASP ZAP, Metasploit, Wireshark, cryptography libraries. This shows you understand the actual tools.

2. Marketing fluff everywhere – "Expert-level automation", "Production-grade output", "Complete toolkit" without substance. Replace with concrete descriptions of what actually happens (e.g., "Generates STRIDE threat models" instead of "Comprehensive analysis").

3. Missing navigation – Your main SKILL.md is 210 lines with no table of contents, making it harder to navigate. A quick TOC at the top would help.

Quick Wins

Most impactful first:

• Populate reference files with real security patterns and implementation guidance (+10 points)
• Implement actual script logic instead of empty templates (+8 points)
• Swap generic tech stack for security-specific tools (+5 points)
• Strip marketing language and replace with concrete descriptions (+3 points)

---

Checkout your skill here: [SkillzWave.ai](https://skillzwave.ai) | [SpillWave](https://spillwave.com) We have an agentic skill installer that install skills in 14+ coding agent platforms. Check out this guide on how to improve your agentic skills.