isms-audit-expert

I took a look at isms-audit-expert and noticed it's tackling information security management system auditing—a domain that really benefits from structured methodology. The skill reads more like a checklist framework than a tool that walks developers through why each control matters, which is probably why it landed at 54/100.

Links:

• GitHub
• Your agentic skill in the SkillzWave marketplace

The TL;DR

You're at 54/100, which is an F grade. This is based on Anthropic's best practices for agentic skills. Your strongest area is Spec Compliance (12/15)—the frontmatter and naming conventions are solid. The real drag is Progressive Disclosure Architecture (10/30)—you're promising 15+ reference files and scripts that don't actually exist on disk, which completely breaks the layered structure that makes skills token-efficient and maintainable.

What's Working Well

• Strong trigger terms: Your metadata includes specific, actionable triggers like "ISMS audit", "ISO 27001", and "security control assessment"—developers will find this skill when they need it
• Clear spec compliance: Valid YAML frontmatter, proper naming conventions, and all required fields are in place
• Navigable structure: The numbered sections and TOC-like layout make it easy to scan within the single file
• Real domain expertise: The ISO 27001 framework and ISMS methodology are legit; the conceptual foundation is sound

The Big One: Phantom References

This is your biggest blocker. You list 15+ files that don't exist: iso27001-audit-methodology.md, isms-audit-scheduler.py, security-audit-prep.py, templates in assets/, examples scattered across references/. None of these files are on disk.

Here's what's happening: you're violating the core PDA principle. Instead of layering content efficiently (essential stuff inline, deep dives in separate files), you're promising files that users can't access. The workflows become non-executable—"Follow scripts/security-audit-prep.py" doesn't work when the script doesn't exist.

The fix: Either create those files with actual content (ISO 27001 checklist templates, audit planning scripts, control mapping guides) and commit them to the repo, OR cut the references section entirely and embed the essential guidance inline. Don't promise what you can't deliver. You could probably gain +8 points just by making this consistent.

Other Things Worth Fixing

1. ASCII art is burning tokens (150 tokens per diagram, 3 total): Those tree structures are pretty but verbose. Replace with bullet lists. Same info, 30 tokens. +4 points if you trim this down.

2. Inconsistent terminology throughout: You use "ISMS audit", "security audit", "ISO 27001 audit", and "cybersecurity audit" interchangeably. Pick one primary term and stick with it; the others are secondary variations. +3 points for consistency.

3. Workflows reference phantom scripts: Steps like "Pre-audit Security Review: Follow scripts/security-audit-prep.py" can't be executed. Make workflows standalone with inline steps instead. +5 points when fixed.

4. Marketing language dilutes instruction: Phrases like "expert-level", "comprehensive", "proven" add no functional value. Just tell us what to do, not how impressive it is.

Quick Wins

• Create or remove: Commit the 15+ referenced files OR delete references section (biggest impact: +8 points)
• Tighten ASCII art: Convert tree structures to bullet points (impact: +4 points)
• Standardize terminology: One primary term, consistent usage throughout (impact: +3 points)
• Embed workflows: Replace script references with inline steps (impact: +5 points)

Hit these four items and you're probably looking at low-to-mid 70s.

Checkout your skill here: SkillzWave.ai | SpillWave We have an agentic skill installer that install skills in 14+ coding agent platforms. Check out this guide on how to improve your agentic skills.