cve-reachability-analyzer

Analyze CVE reachability in software repositories by examining how vulnerable dependencies are imported and used. Determines whether vulnerable components, classes, or functions are reachable from project code through call chain analysis, reflection detection, dynamic loading patterns, and configuration-gated behavior. Classifies each CVE as likely reachable, possibly reachable, or likely unreachable with supporting evidence. Use when analyzing security vulnerabilities in dependencies, performing post-disclosure CVE triage, assessing vulnerability impact, or when users ask to analyze CVE reachability, check if vulnerabilities are exploitable, or evaluate dependency security risks.

1.05x

Quality

85%

Does it follow best practices?

Impact

99%

1.05x

Average score across 3 eval scenarios

Securityby

Passed

No known issues

Quality

Content

70%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a well-structured skill with excellent workflow clarity and progressive disclosure. The main weaknesses are moderate verbosity (explaining concepts Claude knows) and lack of concrete, executable code examples - the skill describes what to do rather than showing specific code patterns for common languages. The output format template is helpful but the analysis steps would benefit from inline code snippets.

Suggestions

Add concrete code examples for at least 2-3 common languages (e.g., Python import tracing, Java reflection detection) instead of deferring all specifics to reference files

Remove explanatory text that Claude already knows (e.g., 'Reachability ≠ exploitability', definitions of CVE fields) to reduce token usage

Include a minimal executable example in the 'Example Usage' section showing actual code/commands rather than describing the process abstractly

Dimension	Reasoning	Score
Conciseness	The skill is reasonably efficient but includes some unnecessary explanation (e.g., explaining what CVE information contains, basic concepts like 'Reachability ≠ exploitability'). The workflow steps could be more condensed, and some sections repeat information that Claude would already understand.	2 / 3
Actionability	The skill provides structured guidance with clear steps but lacks concrete, executable code examples. The 'Example Usage' section describes a process abstractly rather than showing actual code. References to language-specific patterns defer to external files without inline examples.	2 / 3
Workflow Clarity	The 9-step workflow is clearly sequenced with explicit decision points (early exits in Step 2), validation checkpoints, and clear classification criteria in Step 8. The progression from dependency verification through import analysis to call chain tracing is logical and includes feedback considerations.	3 / 3
Progressive Disclosure	Excellent structure with a clear overview, well-organized workflow steps, and appropriate references to external files (reachability_patterns.md, language_guide.md, cve_analysis.md) for detailed information. References are one level deep and clearly signaled with descriptive labels.	3 / 3
	Total	10 / 12 Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is an excellent skill description that clearly articulates a specialized security analysis capability. It provides specific technical actions (call chain analysis, reflection detection), concrete outputs (three-tier classification with evidence), and comprehensive trigger guidance covering multiple user scenarios. The description uses appropriate third-person voice throughout and balances technical precision with natural language triggers.

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions: 'examining how vulnerable dependencies are imported and used', 'call chain analysis', 'reflection detection', 'dynamic loading patterns', 'configuration-gated behavior', and classifies CVEs into three categories with 'supporting evidence'.	3 / 3
Completeness	Clearly answers both what (analyze CVE reachability through call chain analysis, reflection detection, etc., classifying as reachable/unreachable) AND when with explicit 'Use when...' clause covering multiple trigger scenarios including 'analyzing security vulnerabilities', 'CVE triage', and 'check if vulnerabilities are exploitable'.	3 / 3
Trigger Term Quality	Excellent coverage of natural terms users would say: 'CVE', 'security vulnerabilities', 'dependencies', 'vulnerability impact', 'exploitable', 'dependency security risks', 'CVE triage', 'CVE reachability'. These are terms security professionals naturally use.	3 / 3
Distinctiveness Conflict Risk	Highly distinctive niche focused specifically on CVE reachability analysis in dependencies. The combination of 'CVE', 'reachability', 'call chain analysis', and vulnerability classification creates a clear, unique domain unlikely to conflict with general security or code analysis skills.	3 / 3
	Total	12 / 12 Passed

Validation

100%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 11 / 11 Passed

Validation for skill structure

No warnings or errors.

Repository: ArabelaTso/Skills-4-SE
Commit: 0f00a4f

Reviewed: 4 months ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.