The Cyber Hygiene Assessment Skill is published by agensi and targets developers and security consultants who need to convert unstructured security evidence into formal, boardroom-ready deliverables without manually prompting a general-purpose AI. It processes raw inputs such as workshop transcripts, survey responses, and configuration logs through a 12-domain control framework covering areas including MFA, Patching, and Path Management. A structured 19-step workflow governs how evidence is interpreted, and the skill enforces a strict evidence-handling rule: where evidence is absent or ambiguous, gaps are marked as ‘Not Determined’ rather than inferred or invented. Outputs use a standardised Red-Amber-Green (RAG) rating system and include Executive Scorecards, Treatment Plans, and Remediation Roadmaps. Additional output formats include Cyber Healthcheck Reports, Executive Risk Briefings, Supplier Security Registers, and Residual Risk Summaries. Specialised templates are available for Supplier Security assessments and Finance Target Operating Models (TOM). Because every finding must be linked to specific evidence, the skill is designed to reduce the hallucination risk that arises when general AI models are asked to produce security assessments from loosely structured notes. It handles documentation generation, leaving security strategy decisions to the practitioner. No environment variables or package installation steps are documented for this skill.
Cyber Hygiene Assessment
Transform raw security evidence into professional Cyber Healthcheck reports, RAG scorecards, and remediation roadmaps.
Install
cmdop skills install agensi-cyber-hygiene-assessment
Use cases
- Convert workshop transcript notes into a structured Cyber Healthcheck Report
- Generate an Executive Risk Briefing from configuration logs for a board presentation
- Produce a RAG-rated scorecard across 12 cyber hygiene domains from survey evidence
- Build a Supplier Security Register from third-party assessment inputs
- Create a Residual Risk Summary after a remediation cycle
- Apply a Finance Target Operating Model template to a financial sector security assessment
When to use it
- When you have raw security evidence (transcripts, logs, survey data) that needs to become a formal deliverable
- When the output must follow a consistent 12-domain framework with RAG ratings
- When you need specialised templates for supplier security or finance sector assessments
- When evidence gaps must be explicitly flagged rather than filled with assumptions
When not to use it
- When you need real-time vulnerability scanning or active network assessment — this skill processes existing evidence only
- When your workflow requires tool-based integrations via MCP transports, as no transport is defined
- When you need a generic security checklist without a structured multi-domain framework
- When the deliverable format required falls outside Healthcheck Reports, Executive Briefings, Scorecards, Treatment Plans, or Residual Risk Summaries